Citrix NetScaler Devices Targeted in New Wave of Attacks

Citrix’s NetScaler users are being urged to apply critical patches following the discovery of a zero-day vulnerability. This security flaw potentially allows attackers to execute remote code due to a memory overflow issue recently identified as CVE-2025-7775, which carries a CVSS score of 9.2 out of 10.

On August 26, Citrix issued a warning that the vulnerability is being actively exploited by threat actors, with cybersecurity expert Kevin Beaumont noting on social media that several new vulnerabilities related to NetScaler have emerged as zero-days and patches have now become available.

This particular vulnerability is part of a set of three security flaws for which Citrix has released patches for its NetScaler application delivery controller and NetScaler Gateway that can serve as both VPN servers and proxies. While patches are available for supported versions, data from Tenable indicates that almost 20% of identified NetScaler assets are running unsupported versions, highlighting the importance of upgrading at least to versions 12.0 or 13.0.

Scott Caveza, a senior research engineer at Tenable, warned that outdated instances could serve as “ticking time bombs,” especially given the historical trend of rapid exploitation of vulnerabilities in Citrix products. Security experts have noted a growing trend among sophisticated threat actors, including nation-state hackers, to quickly exploit vulnerabilities that have been publicly disclosed.

The new vulnerabilities in question come on the heels of significant security flaws patched earlier this summer, including one labeled CVE-2025-5777, referred to as “Citrix Bleed 2,” which echoed vulnerabilities reported last year. Citrix’s advisory also indicates that both on-premise and hybrid deployments of Secure Private Access, a solution for providing tunneling access to internal applications, are similarly affected.

Some cybersecurity professionals have expressed exasperation over the frequency of vulnerabilities in Citrix’s NetScaler, with Benjamin Harris, CEO of watchTowr, emphasizing the need for users to check for any signs of existing compromises, as merely applying patches may not fully mitigate risks if attackers are already inside the network.

According to Caitlin Condon, Vice President of Security Research at VulnCheck, nation-state actors are more likely to exploit the newly identified vulnerabilities given the technical challenges involved in memory corruption vulnerabilities, such as the recently disclosed CVE-2025-7775. Despite being publicly acknowledged, some vulnerabilities like CVE-2025-6543 have yet to witness widespread exploitation.