![\"Citrix\"](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/08\/citrix-stars.jpg\")
<\/p>\n<\/p>\n
More than 28,200 Citrix instances are vulnerable to a critical remote code execution vulnerability tracked as CVE-2025-7775 that is already being exploited in the wild.<\/p>\n
The vulnerability affects\u00a0NetScaler ADC and NetScaler Gateway and the vendor addressed it<\/a> in updates released yesterday.<\/p>\n According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Citrix, the security issue has been exploited as a zero-day vulnerability.<\/p>\n The versions affected by CVE-2025-7775 are 14.1 before 14.1-47.48, 13.1 before13.1-59.22, 13.1-FIPS\/NDcPP before 13.1-37.241-FIPS\/NDcPP, and 12.1-FIPS\/NDcPP up to\u00a012.1-55.330-FIPS\/NDcPP.<\/p>\n Citrix does not provide any mitigations or workarounds and urges\u00a0admins to upgrade the firmware immediately.<\/p>\n Internet scans conducted by the threat monitoring platform The Shadowserver Foundation\u00a0soon after the flaw was disclosed\u00a0show that there were\u00a0more than 28,000 Citrix instances<\/a>\u00a0vulnerable to CVE-2025-7775.<\/p>\n Most of the vulnerable instances are located<\/a> in the United States<\/a> (10,100), followed by Germany (4,300), the United Kingdom (1,400), the Netherlands (1,300), Switzerland (1,300), Australia (880), Canada (820), and France (600).<\/p>\n Citrix did not share indicators of compromise associated with the exploitation activity.<\/p>\n However, the vendor specifies\u00a0that CVE-2025-7775 affects NetScaler when configured as a Gateway\/AAA virtual server (VPN, ICA Proxy, CVPN, RDP Proxy), as LB virtual servers (HTTP\/SSL\/HTTP_QUIC) bound to IPv6 or DBS IPv6 services, or as a CR virtual server with type HDX.<\/p>\n In any case, admins are recommended to upgrade to one of the following releases, which address the issue:<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
\n<\/ul>\n Citrix also disclosed two other, high-severity\u00a0flaws in its security bulletin: CVE-2025-7776 (memory overflow denial-of-service) and CVE-2025-8424 (improper access control on the management interface).<\/p>\n It is noted that versions 12.1 and 13.0 (non-FIPS\/NDcPP) are also vulnerable; however, they have reached End of Life status, so customers still using these versions must upgrade to a supported release.<\/p>\n CISA has already added the critical\u00a0CVE-2025-7775 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The agency is giving federal agencies until August 28 to apply the patches from the vendor or quit using the affected products, underlining the severity of the issue and the risk associated with exploitation.<\/p>\n![\"Citrix](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/08\/location.jpeg\")
Citrix instance exposure to CVE-2025-7775 heatmap<\/strong>
Source: The Shadowserver Foundation<\/p>\n\n
![\"Picus](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/08\/blue-report-2025.jpg\")