{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-033.pdf"
    },
    "title": "Critical Vulnerabilities in Citrix NetScaler Products",
    "serial_number": "2025-033",
    "publish_date": "26-08-2025 15:40:17",
    "description": "On 26 August 2025, Citrix released a security advisory addressing one critical and two high severity vulnerabilities in NetScaler ADC and NetScaler Gateway. Citrix warns that exploits of the critical vulnerability, CVE-2025-7775, have been observed on unmitigated appliances.<br>\nIt is recommended to update affected assets as soon as possible.<br>\n",
    "url_title": "2025-033",
    "content_markdown": "---    \ntitle: 'Critical Vulnerabilities in\u00a0Citrix\u00a0NetScaler\u00a0Products'\nnumber: '2025-033'\nversion: '1.0'\noriginal_date: '2025-08-26'\ndate: '2025-08-26'\n---\n\n_History:_\n\n* _26/08/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 26 August 2025, Citrix released a security advisory addressing one critical and two high severity vulnerabilities in NetScaler ADC and NetScaler Gateway [1]. Citrix warns that **exploits of the critical vulnerability, CVE-2025-7775, have been observed on unmitigated appliances**.\n\nIt is recommended to update affected assets as soon as possible.\n\n# Technical Details\n\nThe vulnerability **CVE-2025-7775**, with a CVSS score of 9.2, is due to improper restriction of operations within the bounds of a memory buffer, leading to Remote Code Execution (RCE) and/or Denial of Service [1]. To be exploitable, NetScaler must have **one of the following configurations**:\n\n- Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server\n- NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers\n- NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers\n- CR virtual server with type HDX\n\nThe vulnerability **CVE-2025-7776**, with a CVSS score of 8.8, is due to improper restriction of operations within the bounds of a memory buffer, leading to unpredictable or erroneous behaviour and Denial of Service. To be exploitable, NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it.\n\nThe vulnerability **CVE-2025-8424**, with a CVSS score of 8.7, is due to improper access control. To exploit this vulnerability, it is necessary for an attacker to have access to the NSIP address, the Cluster Management IP or the local GSLB Site IP, or SNIP with Management Access.\n\n# Affected Products\n\nThe following products are affected by the vulnerabilities [1]:\n\n- NetScaler ADC and NetScaler Gateway\u202f14.1\u202fBEFORE 14.1-47.48\n- NetScaler ADC and NetScaler Gateway\u202f13.1\u202fBEFORE 13.1-59.22\n- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP\n- NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP\n\n_Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and remain vulnerable._\n\n# Recommendations\n\nIt is recommended updating as soon as possible to the latest version of NetScaler ADC and NetScaler Gateway.\n\n## **CVE-2025-7775**\n\nCustomers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings\n\n- An Auth Server (AAA Vserver): `add authentication vserver .*`\n- A Gateway (VPN Vserver,  ICA Proxy, CVPN, RDP Proxy): `add vpn vserver .*`\n- LB vserver of Type HTTP_QUIC|SSL|HTTP bound with IPv6 services or servicegroups bound with IPv6 servers:\n\n    ```\n    enable ns feature lb.*\n    add serviceGroup .* (HTTP_QUIC|SSL|HTTP) .*\n    add server .* <IPv6>\n    bind servicegroup <servicegroup name> <IPv6 server> .*\n    add lb vserver .* (HTTP_QUIC|SSL|HTTP) .*\n    bind lb vserver .* <ipv6 servicegroup name>\n    ```\n\n- LB vserver of Type HTTP_QUIC|SSL|HTTP bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers: \n\n    ```\n    enable ns feature lb.*\n    add serviceGroup .* (HTTP_QUIC | SSL | HTTP) .*\n    add server .* <domain> -queryType AAAA\n    add service .* <IPv6 DBS server > \n    bind servicegroup <servicegroup name> <IPv6 DBS server> .*\n    add lb vserver .* (HTTP_QUIC | SSL | HTTP) .*\n    bind lb vserver .* <ipv6 servicegroup name>\n    ```\n\n- CR vserver with type HDX: `add cr vserver .* HDX .*`\n\n## **CVE-2025-7776**\n\nCustomers can determine if they have an appliance configured as Gateway (VPN vserver) with PCoIP Profile bounded to it, by inspecting their _ns.conf_ file for the specified strings: `add vpn vserver .* -pcoipVserverProfileName .*`\n\n# References\n\n[1] <https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424>",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/08/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 26 August 2025, Citrix released a security advisory addressing one critical and two high severity vulnerabilities in NetScaler ADC and NetScaler Gateway [1]. Citrix warns that <strong>exploits of the critical vulnerability, CVE-2025-7775, have been observed on unmitigated appliances</strong>.</p><p>It is recommended to update affected assets as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-7775</strong>, with a CVSS score of 9.2, is due to improper restriction of operations within the bounds of a memory buffer, leading to Remote Code Execution (RCE) and/or Denial of Service [1]. To be exploitable, NetScaler must have <strong>one of the following configurations</strong>:</p><ul><li>Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server</li><li>NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers</li><li>NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers</li><li>CR virtual server with type HDX</li></ul><p>The vulnerability <strong>CVE-2025-7776</strong>, with a CVSS score of 8.8, is due to improper restriction of operations within the bounds of a memory buffer, leading to unpredictable or erroneous behaviour and Denial of Service. To be exploitable, NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it.</p><p>The vulnerability <strong>CVE-2025-8424</strong>, with a CVSS score of 8.7, is due to improper access control. To exploit this vulnerability, it is necessary for an attacker to have access to the NSIP address, the Cluster Management IP or the local GSLB Site IP, or SNIP with Management Access.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following products are affected by the vulnerabilities [1]:</p><ul><li>NetScaler ADC and NetScaler Gateway\u202f14.1\u202fBEFORE 14.1-47.48</li><li>NetScaler ADC and NetScaler Gateway\u202f13.1\u202fBEFORE 13.1-59.22</li><li>NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP</li><li>NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP</li></ul><p><em>Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and remain vulnerable.</em></p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating as soon as possible to the latest version of NetScaler ADC and NetScaler Gateway.</p><h3 id=\"cve-2025-7775\"><strong>CVE-2025-7775</strong></h3><p>Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings</p><ul><li>An Auth Server (AAA Vserver): <code>add authentication vserver .*</code></li><li>A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy): <code>add vpn vserver .*</code></li><li><p>LB vserver of Type HTTP_QUIC|SSL|HTTP bound with IPv6 services or servicegroups bound with IPv6 servers:</p><pre><code>enable ns feature lb.*\nadd serviceGroup .* (HTTP_QUIC|SSL|HTTP) .*\nadd server .* &lt;IPv6&gt;\nbind servicegroup &lt;servicegroup name&gt; &lt;IPv6 server&gt; .*\nadd lb vserver .* (HTTP_QUIC|SSL|HTTP) .*\nbind lb vserver .* &lt;ipv6 servicegroup name&gt;\n</code></pre></li><li><p>LB vserver of Type HTTP_QUIC|SSL|HTTP bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers: </p><pre><code>enable ns feature lb.*\nadd serviceGroup .* (HTTP_QUIC | SSL | HTTP) .*\nadd server .* &lt;domain&gt; -queryType AAAA\nadd service .* &lt;IPv6 DBS server &gt; \nbind servicegroup &lt;servicegroup name&gt; &lt;IPv6 DBS server&gt; .*\nadd lb vserver .* (HTTP_QUIC | SSL | HTTP) .*\nbind lb vserver .* &lt;ipv6 servicegroup name&gt;\n</code></pre></li><li><p>CR vserver with type HDX: <code>add cr vserver .* HDX .*</code></p></li></ul><h3 id=\"cve-2025-7776\"><strong>CVE-2025-7776</strong></h3><p>Customers can determine if they have an appliance configured as Gateway (VPN vserver) with PCoIP Profile bounded to it, by inspecting their <em>ns.conf</em> file for the specified strings: <code>add vpn vserver .* -pcoipVserverProfileName .*</code></p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424\">https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&amp;articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}