CVE-2025-7775

CriticalCISA KEVActive Exploitation

Published: 26 August 2025

Published

26 August 2025

Modified

24 October 2025

KEV Added

26 August 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0858 92.5th percentile

Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7775 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and remediation of flaws like the memory overflow in NetScaler ADC/Gateway, directly addressing the CVE through patching as recommended in the Citrix advisory.

SI-16 Memory Protection good match

prevent

Implements memory protection safeguards such as address space layout randomization or non-executable memory to prevent exploitation of the memory overflow vulnerability leading to RCE.

SI-10 Information Input Validation partial match

prevent

Enforces validation of inputs to network services like VPN, ICA Proxy, and HTTP/SSL load balancers, mitigating buffer overflows from malformed IPv6 or other traffic targeting the vulnerable configurations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct unauthenticated RCE via memory corruption in a public-facing network appliance (NetScaler ADC/Gateway) maps cleanly to exploitation of exposed applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and…

NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers (OR) CR virtual server with type HDX

Deeper analysisAI

CVE-2025-7775 is a memory overflow vulnerability (CWE-119) that can lead to remote code execution and/or denial of service in NetScaler ADC and NetScaler Gateway. It affects instances configured as a Gateway, including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy, as well as AAA virtual servers. The issue also impacts NetScaler ADC and NetScaler Gateway versions 13.1, 14.1, 13.1-FIPS, and NDcPP when load balancing (LB) virtual servers of type HTTP, SSL, or HTTP_QUIC are bound with IPv6 services or service groups bound with IPv6 servers, or with IPv6 DBS services or service groups bound with IPv6 DBS servers. Additionally, it affects CR virtual servers with type HDX.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability allows unauthenticated remote attackers to exploit it over the network with low attack complexity and no user interaction required. Successful exploitation enables remote code execution, compromising confidentiality, integrity, and availability to a high degree, or causes denial of service.

Mitigation details are provided in the Citrix support advisory CTX694938 at https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938.

The vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-7775, indicating real-world exploitation.

Details

CWE(s): CWE-119
KEV Date Added: 26 August 2025

Affected Products

citrix

netscaler application delivery controller

12.1 — 12.1-55.330 · 12.1 — 12.1-55.330 · 13.1 — 13.1-37.241

citrix

netscaler gateway

13.1 — 13.1-59.22 · 14.1 — 14.1-47.48

CVEs Like This One

CVE-2025-7776Same product: Citrix Netscaler Application Delivery Controller

CVE-2026-3055Same product: Citrix Netscaler Application Delivery Controllerboth on KEV

CVE-2025-24472Same product class: VPN / SSL gatewayboth on KEV

CVE-2024-55591Same product class: VPN / SSL gatewayboth on KEV

CVE-2026-24858Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-0111Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-59718Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-0108Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-25249Same product class: VPN / SSL gateway

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
Vendor Advisory · secure@citrix.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-7775
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0