On August 26, 2025, Cloud Software Group published security bulletin CTX694788 disclosing CVE-2025-7775, a memory overflow vulnerability in NetScaler ADC and NetScaler Gateway. CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day, with a remediation deadline of August 28, 2025. The vendor's statement reads, in part: "Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed." For organizations running NetScaler as an SSL VPN or load balancer, this advisory follows the CitrixBleed 2 pattern from earlier in 2025 — an aggressive timeline driven by confirmed exploitation against unpatched edges.
What does the vendor advisory say?
CTX694788 describes CVE-2025-7775 as a memory overflow triggered when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual server. Successful exploitation leads to denial of service and, under reproducible conditions documented by the vendor, remote code execution. Cloud Software Group rates the issue critical with CVSS v3.1 base score 9.2 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H). The advisory was published alongside CVE-2025-7776 and CVE-2025-8424, two related issues in the management interface — defenders must apply the combined fixed build, not cherry-pick. Patches are available for NetScaler ADC and Gateway 14.1, 13.1, and the 13.1-FIPS/NDcPP variants. The vendor explicitly states there is no workaround for CVE-2025-7775; the only safe path is upgrading to a fixed build.
Which versions are affected and which are patched?
The vulnerable code is present in all NetScaler ADC and Gateway builds prior to 14.1-47.48, 13.1-59.22, 13.1-37.241 FIPS/NDcPP, and 12.1-55.330 FIPS/NDcPP. NetScaler ADC and Gateway 12.1 and 13.0 are end-of-life and will not receive a patch — organizations on those builds must migrate to 13.1 or 14.1 to remediate. Specifically, fixed builds are: NetScaler ADC and NetScaler Gateway 14.1-47.48 and later; 13.1-59.22 and later; 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later; 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later. The vendor recommends verifying installed build with show version from the CLI or in the Citrix ADM console under Infrastructure > Configuration Audit. Important: a partial upgrade to 13.1-59.20 (which fixed CitrixBleed 2) does NOT close CVE-2025-7775. You must move to 13.1-59.22 or higher.
Is it in CISA KEV and what is the EPSS score?
CISA added CVE-2025-7775 to KEV on August 26, 2025, with a 48-hour due date (August 28, 2025). The CISA entry tagged the vulnerability "known to be used in ransomware campaigns: Unknown" but cross-referenced the August 26 vendor statement of in-the-wild exploitation. EPSS scoring at disclosure was 0.06, climbing to 0.78 within four days as red-team frameworks integrated triggers. CISA's accompanying alert urged operators to "treat all NetScaler appliances reachable from untrusted networks as potentially compromised if not patched within the deadline" and recommended terminating all active sessions after the upgrade to evict any in-progress attacker.
How do you find vulnerable instances in your SBOM?
NetScaler appliances expose their build through the NITRO API as well as show version. For SBOM-driven inventories, ingest the NITRO nsversion and nslicense endpoints into your asset graph nightly, then run:
# List every NetScaler asset still on a pre-fix build
safeguard scan --cve CVE-2025-7775 --product netscaler-adc --product netscaler-gateway
# Filter to internet-facing instances with Gateway or AAA virtual servers enabled
safeguard assets list \
--filter "vendor=citrix AND product=netscaler AND exposure=internet" \
--feature gateway-vserver,aaa-vserver \
--include-cve CVE-2025-7775
If you do not maintain firmware SBOMs, the cheapest enumeration is a scripted NITRO call per management IP, parsing the response and joining against the fixed-build matrix. Cloud Software Group's Citrix ADM (NetScaler Application Delivery Management) console offers a pre-built CVE compliance widget for organizations already running it.
What is the recommended patch rollout?
Cloud Software Group's recommended rollout follows the same pattern as the CitrixBleed advisories. First, snapshot configuration via show ns runningConfig | tail -50 and back up /nsconfig/ns.conf. Second, upgrade the standby node in HA pairs first, force failover, and verify session continuity before upgrading the new standby. Third, terminate ICA, PCoIP, and AAA sessions globally with kill icaconnection -all, kill aaa session -all, and kill pcoip session -all — this is non-negotiable per the vendor's August 26 follow-up post. Fourth, rotate all session keys, API keys, and certificates stored on the appliance because exploit chains observed in the wild dumped memory before patch. Allow 20–30 minutes per node for the upgrade and verification phase; the session kill step adds whatever time end users need to reconnect.
If you cannot patch within the CISA window, isolate the management interface to an out-of-band network and restrict gateway access by source IP via responder policies — but recognize this is a delay, not a fix. The vendor confirmed no workaround exists.
What detections does the vendor or CISA publish?
Cloud Software Group's August 26 incident response guide recommends scanning /var/log/ns.log and /var/log/httpaccess.log for anomalous gateway request volumes and oversized request bodies to /vpn/, /cgi/, and /nf/auth/ paths. CISA AA25-238A includes IOCs and the following Sigma-format detection that defenders should ingest from the official advisory:
# Source: CISA AA25-238A NetScaler exploitation, published 2025-08-27
title: NetScaler Gateway Suspicious Pre-Auth Request Burst
status: stable
logsource:
product: citrix
service: netscaler
detection:
selection:
url|contains:
- '/vpn/'
- '/cgi/api/login'
- '/nf/auth/'
request_body_size: '>4096'
response_code:
- 500
- 502
threshold:
src_ip|count_gt: 15
condition: selection AND threshold
fields:
- src_ip
- request_uri
- response_size
level: high
CISA also published YARA rules tagged ToolShell-NSC for the most common post-exploitation web shell observed across August 2025 victim telemetry.
CitrixBleed 2 (CVE-2025-5777) earlier in 2025 set the operational precedent that organizations failed to internalize: the original CitrixBleed (CVE-2023-4966) victim list was still being updated 14 months after the patch shipped because organizations failed to terminate sessions post-upgrade. CVE-2025-7775 has the same shape. Organizations that patch but skip the session kill leave attacker-controlled sessions live in the post-upgrade window and re-enter through them.
Forensic triage during the patch window: pull /var/nslog/auditlog and /var/log/httpaccess.log for the 30 days preceding the patch and grep for the URI patterns in the CISA detection above. Cross-reference any matching source IP against threat-intelligence feeds (Mandiant Advantage, Recorded Future, Censys) for known C2 infrastructure. Capture memory snapshots from each appliance before upgrade if forensic preservation is required for incident response.
How Safeguard Helps
Safeguard's NetScaler firmware ingestion pipeline parses NITRO API output into a normalized SBOM, then matches build identifiers against the CTX694788 fixed-version matrix and the CISA KEV entry. The default policy gate fails any change-management ticket promoting a NetScaler image below 14.1-47.48 or 13.1-59.22. Griffin AI computes reachability scoring across the gateway-vserver, aaa-vserver, and management interfaces, so SOC teams see internet-exposed boxes first in the dashboard. VEX statements from Cloud Software Group are auto-ingested when the appliance does not enable the affected virtual server types, suppressing noise on internal-only load balancers. The ServiceNow integration generates a single change ticket per HA pair with the fixed build hash pinned in the body, the CISA KEV due date copied into the SLA field, and the session-kill checklist attached as a runbook page — turning a multi-team firefight into a tracked, auditable workflow.