CVE-2025-7775
Published: 26 August 2025
Summary
CVE-2025-7775 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-7775 is a memory overflow vulnerability, tracked under CWE-119, that can result in remote code execution or denial of service. It affects Citrix NetScaler ADC and NetScaler Gateway appliances running versions 13.1, 14.1, 13.1-FIPS, and NDcPP when the product is configured as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual server, when load-balancing virtual servers of type HTTP, SSL, or HTTP_QUIC are bound to IPv6 services or service groups, or when a content routing virtual server of type HDX is in use.
An unauthenticated remote attacker can trigger the flaw over the network by sending crafted traffic to an affected virtual server. Successful exploitation grants the ability to execute arbitrary code or crash the appliance, with the CVSS 9.2 vector reflecting network attack reachability, high impact on confidentiality, integrity, and availability, and the need for specific configuration conditions.
Citrix advisory CTX694938 and the associated security updates address the issue; organizations are advised to apply the vendor-supplied patches for the listed versions. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation.
EPSS for the CVE rose from a low baseline to a peak of 0.1908 on 2025-12-18 before receding to the current value of 0.0779, indicating a clear post-disclosure increase in exploitation interest that later moderated.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25838
Vulnerability details
Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and…
more
NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers (OR) CR virtual server with type HDX
- CWE(s)
- KEV Date Added
- 26 August 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via memory corruption in a public-facing network appliance (NetScaler ADC/Gateway) maps cleanly to exploitation of exposed applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of flaws like the memory overflow in NetScaler ADC/Gateway, directly addressing the CVE through patching as recommended in the Citrix advisory.
Implements memory protection safeguards such as address space layout randomization or non-executable memory to prevent exploitation of the memory overflow vulnerability leading to RCE.
Enforces validation of inputs to network services like VPN, ICA Proxy, and HTTP/SSL load balancers, mitigating buffer overflows from malformed IPv6 or other traffic targeting the vulnerable configurations.