Citrix has released patches to address a zero-day remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that has been exploited. Organisations are urged to patch immediately as Citrix’s NetScaler ADC and Gateway appliances have been a valuable target for attackers over the last several years.

“While patches are available for supported versions of NetScaler ADC and Gateway devices, Citrix notes that versions 12.0 and 13.1 are end-of-life and no longer supported. Our analysis of Tenable telemetry data found that nearly 20% of NetScaler assets identified are on these unsupported versions. The greatest concentration of 13.0 devices was in North America, while 12.1 saw the greatest concentration in the APAC region. These end-of-life instances are ticking time bombs, especially given the recent exploitation history of Citrix flaws.

“CVE-2025-7775 can be exploited by an unauthenticated attacker to achieve remote code execution or cause a denial of service condition. While Citrix has not provided details on the breadth and depth of exploitation, they do note that this flaw has already been exploited. Given attackers’ interest in past Citrix vulnerabilities, including the widely abused original CitrixBleed (CVE-2023-4966), it’s very likely that ransomware gangs or other advanced persistent threat groups will soon capitalise on this flaw.” – Scott Caveza, senior staff research engineer, Tenable

Further analysis is available on Scott Caveza’s blog.