DIVD-2025-00037 - Critical vulnerabilities in Citrix ADC and Gateway systems
| Our reference | DIVD-2025-00037 |
| Case lead | Victor Pasman |
| Author | Davy Aarts |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update your system to the latest patched version |
| Patch status | Fully patched |
| Status | Open |
| Last modified | 27 Aug 2025 09:45 CEST |
Summary
On 26 August 2025, Citrix released security updates for vulnerabilities in Citrix ADC (formerly NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) appliances. These vulnerabilities include memory overflows and improper access control, which may lead to remote code execution, denial of service, or unauthorized access.
The most critical issue, CVE-2025-7775, is a memory overflow vulnerability affecting appliances configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual servers, or certain LB virtual servers bound to IPv6 services. Exploitation of unpatched appliances has been observed in the wild.
Additional vulnerabilities include:
-
CVE-2025-7776 – Memory overflow leading to unpredictable behavior and potential denial of service.
-
CVE-2025-8424 – Improper access control on the management interface, allowing unauthorized access to NSIP, Cluster IP, GSLB Site IP, or SNIP when management access is enabled.
These issues affect multiple versions, including 13.1, 14.1, 13.1-FIPS, 13.1-NDcPP, and older supported releases. Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Users of those version are strongly advised to upgrade to a supported release that addresses these vulnerabilities.
Cloud-managed instances have already been patched by Citrix.
What you can do
To remediate CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, apply the latest patches as soon as possible for impacted products.
Recommended fixed versions:
- NetScaler ADC / Gateway 14.1 → Upgrade to 14.1-47.48 or later
- NetScaler ADC / Gateway 13.1 → Upgrade to 13.1-59.22 or later
- NetScaler ADC 13.1-FIPS & 13.1-NDcPP → Upgrade to 13.1-37.241 or later
- NetScaler ADC 12.1-FIPS & 12.1-NDcPP → Upgrade to 12.1-55.330 or later
Important: NetScaler ADC and Gateway versions 12.1 and 13.0 are End Of Life (EOL) and no longer supported. Users using these versions must upgrade to a supported release to address the vulnerabilities.
What we are doing
DIVD is currently scanning for vulnerable Citrix ADC and Gateway appliances and notifying affected parties.
Timeline
| Date | Description |
|---|---|
| 26 Aug 2025 | Citrix releases a security bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 |
| 26 Aug 2025 | DIVD started scanning for vulnerable servers |
| 27 Aug 2025 | First version of this case file |
More information
- CVE-2025-7775
- CVE-2025-7776
- CVE-2025-8424
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424
- New’s article NCSC-NL