Cyber Resilience

CVE-2025-7775

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 26 August 2025

Published
26 August 2025
Modified
24 October 2025
KEV Added
26 August 2025
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0779 92.2th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7775 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-7775 is a memory overflow vulnerability, tracked under CWE-119, that can result in remote code execution or denial of service. It affects Citrix NetScaler ADC and NetScaler Gateway appliances running versions 13.1, 14.1, 13.1-FIPS, and NDcPP when the product is configured as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual server, when load-balancing virtual servers of type HTTP, SSL, or HTTP_QUIC are bound to IPv6 services or service groups, or when a content routing virtual server of type HDX is in use.

An unauthenticated remote attacker can trigger the flaw over the network by sending crafted traffic to an affected virtual server. Successful exploitation grants the ability to execute arbitrary code or crash the appliance, with the CVSS 9.2 vector reflecting network attack reachability, high impact on confidentiality, integrity, and availability, and the need for specific configuration conditions.

Citrix advisory CTX694938 and the associated security updates address the issue; organizations are advised to apply the vendor-supplied patches for the listed versions. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation.

EPSS for the CVE rose from a low baseline to a peak of 0.1908 on 2025-12-18 before receding to the current value of 0.0779, indicating a clear post-disclosure increase in exploitation interest that later moderated.

EU & UK References

Vulnerability details

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and…

more

NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers (OR) CR virtual server with type HDX

CWE(s)
KEV Date Added
26 August 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via memory corruption in a public-facing network appliance (NetScaler ADC/Gateway) maps cleanly to exploitation of exposed applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3055Same product: Citrix Netscaler Application Delivery Controllerboth on KEV
CVE-2023-4966Same product: Citrix Netscaler Application Delivery Controllerboth on KEV
CVE-2025-7776Same product: Citrix Netscaler Application Delivery Controller
CVE-2025-24472Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-24858Same product class: VPN / SSL gatewayboth on KEV
CVE-2024-55591Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0111Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-59718Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-0108Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

citrix
netscaler application delivery controller
12.1 — 12.1-55.330 · 12.1 — 12.1-55.330 · 13.1 — 13.1-37.241
citrix
netscaler gateway
13.1 — 13.1-59.22 · 14.1 — 14.1-47.48

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely identification, reporting, and remediation of flaws like the memory overflow in NetScaler ADC/Gateway, directly addressing the CVE through patching as recommended in the Citrix advisory.

prevent

Implements memory protection safeguards such as address space layout randomization or non-executable memory to prevent exploitation of the memory overflow vulnerability leading to RCE.

prevent

Enforces validation of inputs to network services like VPN, ICA Proxy, and HTTP/SSL load balancers, mitigating buffer overflows from malformed IPv6 or other traffic targeting the vulnerable configurations.

References