Cloud Software Group released builds on August 26, 2025, to address three security vulnerabilities. NetScaler Gateway & NetScaler is affected by CVE-2025-7775, which has a CVSS score of 9.2. CVE-2025-7776 impacts NetScaler Gateway (CVSS 8.8), CVE-2025-8424 impacts NetScaler (CVSS 8.7).
CVE-2025-7775 is a memory overflow vulnerability the exploit of which can lead to Denial of Service on NetScaler appliances and possibly a Remote Code Execution (RCE) attack. There are several independent pre-conditions for this vulnerability, these are:
a) NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR as a AAA virtual server.
b) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or service groups bound with IPv6 servers
c) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or service groups bound with IPv6 DBS servers
d) NetScaler is configured with a CR (Cache redirection) virtual server with type HDX.
As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the fix as there are no mitigations available to protect against a potential exploit.
Additionally, customers can determine if they have an appliance configured as any of the following by inspecting their ns.conf file for the specified strings
An Auth Server (AAA Vserver).
add authentication vserver .*A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy)
add vpn vserver .*LB vserver of Type HTTP_QUIC | SSL | HTTP with IPv6 server bindings :
enable ns feature lb.*
add serviceGroup .* (HTTP_QUIC|SSL|HTTP) .*
add server .* <IPv6>
bind servicegroup <servicegroup name> <IPv6 server> .*
add lb vserver .* (HTTP_QUIC|SSL|HTTP) .*
bind lb vserver .* <ipv6 servicegroup name>LB vserver of Type HTTP_QUIC | SSL | HTTP with DBS IPv6 server :
enable ns feature lb.*
add serviceGroup .* (HTTP_QUIC | SSL | HTTP) .*
add server .* <domain> -queryType AAAA
add service .* <IPv6 DBS server >
bind servicegroup <servicegroup name> <IPv6 DBS server> .*
add lb vserver .* (HTTP_QUIC | SSL | HTTP) .*
bind lb vserver .* <ipv6 servicegroup name>CR vserver with type HDX:
add cr vserver .* HDX .*CVE-2025-7776 is also a memory overflow vulnerability which can lead to unpredictable/erroneous behavior or a denial of service on NetScaler appliances. This vulnerability only impacts NetScaler if NetScaler is configured as Gateway (VPN virtual server/ICA Proxy/CVPN/RDP Proxy) with a PCoIP Profile bound to them.
Customers can determine if they have an appliance configured by inspecting their ns.conf file for the specified strings.
A Gateway (VPN vserver) with with PCoIP Profile bound to it
add vpn vserver .* -pcoipVserverProfileName .*CVE-2025-8424 arises due to improper access control on NetScaler Management Interface and can lead to an attacker getting unauthorized access to files they’re not authorized for. However, access to NSIP or Cluster Management IP or local GSLB Site IP or SNIP with management access is required to exploit this vulnerability. In most NetScaler deployments, these IP’s are protected by access control lists (ACL’s) or via an IDAM solution. If access to NetScaler console isn’t gated by IDAM solutions or if local authentication is still being used, CSG strongly recommends customers to consider using IDAM solutions and disabling local authentication. Additionally, NetScaler secure deployment practices recommend that NSIP not be exposed to the internet.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities described above:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
Update installation
Download permanent fixes for NetScaler
NetScaler and Citrix are both part of Cloud Software Group, and share the same ticketing system. If you encounter issues when you are updating your affected builds, please contact Citrix Customer Support, irrespective of whether your product includes NetScaler branding or Citrix branding.
Learn more and stay up to date
Read the security bulletin for NetScaler and NetScaler Gateway