{"id":174259858,"date":"2025-08-26T06:34:41","date_gmt":"2025-08-26T14:34:41","guid":{"rendered":"https:\/\/www.netscaler.com\/blog\/?p=174259858"},"modified":"2025-08-28T09:13:28","modified_gmt":"2025-08-28T17:13:28","slug":"critical-security-update-announced-for-netscaler-gateway-and-netscaler","status":"publish","type":"post","link":"https:\/\/www.netscaler.com\/blog\/news\/critical-security-update-announced-for-netscaler-gateway-and-netscaler\/","title":{"rendered":"Critical security update announced for NetScaler Gateway and NetScaler"},"content":{"rendered":"\n

Cloud Software Group released builds on August 26, 2025, to address three security vulnerabilities. NetScaler Gateway & NetScaler is affected by CVE-2025-7775, which has a CVSS score of 9.2. CVE-2025-7776 impacts NetScaler Gateway (CVSS 8.8), CVE-2025-8424 impacts NetScaler (CVSS 8.7). <\/p>\n\n\n\n

<\/div>\n\n\n\n

CVE-2025-7775<\/strong> is a memory overflow vulnerability the exploit of which can lead to Denial of Service on NetScaler appliances and possibly a Remote Code Execution (RCE) attack. There are several independent pre-conditions for this vulnerability, these are:<\/p>\n\n\n\n

\u200b\u200ba) NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR as a AAA virtual server.<\/p>\n\n\n\n

OR<\/p>\n\n\n\n

b) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or service groups bound with IPv6 servers<\/p>\n\n\n\n

OR<\/p>\n\n\n\n

c) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or service groups bound with IPv6 DBS servers<\/p>\n\n\n\n

OR<\/p>\n\n\n\n

d) NetScaler is configured with a CR (Cache redirection) virtual server with type HDX.<\/p>\n\n\n\n

As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the fix as there are no mitigations available to protect against a potential exploit.<\/p>\n\n\n\n

Additionally, customers can determine if they have an appliance configured as any of the following by inspecting their ns.conf<\/strong> file for the specified strings<\/p>\n\n\n\n

An Auth Server (AAA Vserver).<\/strong><\/p>\n\n\n\n

add authentication vserver .*<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy) <\/strong><\/p>\n\n\n\n
add vpn vserver .*<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
LB vserver of Type HTTP_QUIC | SSL | HTTP with IPv6 server bindings :<\/strong><\/p>\n\n\n\n
enable ns feature lb.*\nadd serviceGroup .* (HTTP_QUIC|SSL|HTTP) .*\nadd server .* <IPv6>\nbind servicegroup <servicegroup name> <IPv6 server> .*\nadd lb vserver .* (HTTP_QUIC|SSL|HTTP) .*\nbind lb vserver .* <ipv6 servicegroup name><\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
LB vserver of Type HTTP_QUIC | SSL | HTTP with DBS IPv6 server  : <\/strong><\/p>\n\n\n\n
enable ns feature lb.*\nadd serviceGroup .* (HTTP_QUIC | SSL | HTTP) .*\nadd server .* <domain> -queryType AAAA\nadd service .* <IPv6 DBS server >  \nbind servicegroup <servicegroup name> <IPv6 DBS server> .*\nadd lb vserver .* (HTTP_QUIC | SSL | HTTP) .*\nbind lb vserver .* <ipv6 servicegroup name><\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
CR vserver with type HDX: <\/strong><\/p>\n\n\n\n
add cr vserver .* HDX .*<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
CVE-2025-7776 <\/strong>is also a memory overflow vulnerability which can lead to unpredictable\/erroneous behavior or a denial of service on NetScaler appliances. This vulnerability only impacts NetScaler if NetScaler is configured as Gateway (VPN virtual server\/ICA Proxy\/CVPN\/RDP Proxy) with a PCoIP Profile bound to them. <\/p>\n\n\n\n
Customers can determine if they have an appliance configured by inspecting their ns.conf file for the specified strings.<\/p>\n\n\n\n
A Gateway (VPN vserver) with with PCoIP Profile bound to it<\/strong><\/p>\n\n\n\n
add vpn vserver .* -pcoipVserverProfileName .*<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
CVE-2025-8424 <\/strong>arises due to improper access control on NetScaler Management Interface and can lead to an attacker getting unauthorized access to files they\u2019re not authorized for. However, access to NSIP or Cluster Management IP or local GSLB Site IP or SNIP with management access is required to exploit this vulnerability. In most NetScaler deployments, these IP\u2019s are protected by access control lists (ACL\u2019s) or via an IDAM solution. If access to NetScaler console isn\u2019t gated by IDAM solutions or if local authentication is still being used, CSG strongly recommends customers to consider using IDAM solutions and disabling local authentication. Additionally, NetScaler secure deployment<\/a> practices recommend that NSIP not be exposed to the internet.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\u200b\u200bThe following supported versions of NetScaler ADC<\/strong> and NetScaler Gateway<\/strong> are affected by the vulnerabilities described above: <\/p>\n\n\n\n