Security researcher Kevin Beaumont confirmed these flaws were exploited as zero-days before patches were issued, highlighting the urgent need for affected organizations to respond to potential persistent access.

NetScaler appliances remain high-value targets for ransomware groups and nation-states, especially given their role within enterprise networks and the rapid weaponization of vulnerabilities like CitrixBleed.

Citrix has released urgent security patches for three vulnerabilities in its NetScaler ADC and Gateway products, including the actively exploited CVE-2025-7775, which poses a significant threat.

The patched vulnerabilities include CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, with CVE-2025-7775 being a critical memory overflow that allows remote code execution or denial-of-service.

CVE-2025-7775, with a CVSS score of 9.2, is a memory overflow vulnerability that can lead to remote code execution or DoS, especially on unmitigated appliances configured as Gateway or AAA virtual servers with IPv6.

CVE-2025-8424 involves improper access control on the management interface, with a CVSS score of 8.7, exploitable through access to management IPs or SNIP.

These vulnerabilities are part of a series of recent weaponized flaws affecting Citrix, following similar issues like CVE-2025-5777 and CVE-2025-6543, emphasizing ongoing active exploitation risks.

The vulnerabilities impact both on-premises and hybrid deployments of Citrix's Zero Trust access tool, Secure Private Access, broadening the attack surface.

Affected organizations are urged to upgrade to specific secure versions of the software, including 14.1-47.48+ and 13.1-59.22+, since no workarounds are provided.

Citrix advises immediate patching without workarounds, as no fixes are available for end-of-life versions like NetScaler 12.0 or 13.0, and recommends updating to secure versions.

Exploitation of these vulnerabilities requires specific configurations, such as the appliance being set as a Gateway or AAA virtual server with IPv6 or certain service bindings, or access to management IPs.

Citrix credited security researchers Jimi Sebree, Jonathan Hetzer, and François Hämmerli for discovering these vulnerabilities, which were reported by bug bounty participants.