Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Dutch follows English

 

On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.

 

Description 

On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.

Impact 

The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.

Risk 

If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
 

Mitigation 

Follow the patching advice previously described in our TR [3].

What should you do? 

If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.

If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.

If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.

 

What will Northwave do? 

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.  

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. 

 
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
 

Disclaimer applies, see below. 

Sources 

[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420  

[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f

[3]: https://northwave-cybersecurity.com/threat-response-critical-vulnerabilities-in-citrix-netscaler-adc-and-netscaler-gateway

[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

 

Disclaimer applies, see below. 

Sources 

[1]: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204

 

 

Dear Reader,
 
On 26 August 2025, Citrix published an advisory regarding three vulnerabilities, specifically CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 [1]. These vulnerabilities allow threat actors to conduct remote code execution and/or denial-of-service. Citrix noted that the vulnerability CVE-2025-7775 is actively exploited. Immediate patching is required. The NCSC describes these vulnerabilities as NCSC-2025-0268 [2]. Please note that these are different vulnerabilities from the vulnerabilities described in Northwave’s threat responses on 25 June 2025 and 26 June 2025.
 
Description 
The vulnerability tracked as CVE-2025-7775 (CVSS 9.2) is caused by a memory overflow vulnerability leading to remote code execution and/or denial-of-service. For this, the NetScaler must be configured as at least one of the following:
  • Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
  • NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers
  • NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers
  • CR virtual server with type HDX
The vulnerability tracked as CVE-2025-7776 (CVSS 8.8) is caused by a memory overflow vulnerability leading to unpredictable or erroneous behaviour and denial-of-service. For this to be exploited, the NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bound to it.
The vulnerability tracked as CVE-2025-8424 (CVSS 8.7) is caused by improper access control on the NetScaler Management Interface. Exploitation is possible if access to NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access is possible.
 
The following versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 
  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
  • NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are also vulnerable. Note that these systems are End of Life (EOL), and you are advised to update to a supported version. Furthermore, Secure Private Access on-premises or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities.
 
Impact 
We estimate the impact of these vulnerabilities as high, as they enable a threat actor to gain unauthenticated remote code execution and/or denial-of-service.
 
Risk 
We estimate the risk of these vulnerabilities as high, because of the popularity of the NetScaler ADC and the NetScaler Gateway and the widespread usage of these appliances. Citrix noted that the vulnerability CVE-2025-7775 is actively exploited.
 
Mitigation 
Customers using NetScaler ADC and NetScaler Gateway are strongly advised to install the relevant updated versions as soon as possible.
  • NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
  • NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
 
What should you do? 
We recommend updating the NetScaler ADC and NetScaler Gateway to one of the versions mentioned above as soon as possible if you use a vulnerable version of the software.
 
What will Northwave do? 
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.
 

E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
 
Sources 
 
Beste lezer,
 
Op 26 augustus 2025 heeft Citrix een advies gepubliceerd over drie kwetsbaarheden, namelijk CVE-2025-7775, CVE-2025-7776 en CVE-2025-8424 [1]. Deze kwetsbaarheden stellen kwaadwillenden in staat om op afstand code uit te voeren en/of een denial-of-service uit te voeren. Citrix heeft aangegeven dat CVE-2025-7775 actief wordt misbruikt. Direct patchen is noodzakelijk. Het NCSC beschrijft deze kwetsbaarheden als NCSC-2025-0268 [2]. Let op: dit zijn andere kwetsbaarheden dan die beschreven in de threat responses verzonden door Northwave op 25 juni 2025 en 26 juni 2025.
 
Beschrijving
De kwetsbaarheid CVE-2025-7775 (CVSS 9.2) wordt veroorzaakt door een memory overflow, wat leidt tot remote code execution en/of denial-of-service. Hiervoor moet de NetScaler geconfigureerd zijn als minstens één van de volgende:
  • Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) of AAA virtual server
  • NetScaler ADC en NetScaler Gateway 13.1, 14.1, 13.1-FIPS en NDcPP: LB virtual servers van het type (HTTP, SSL of HTTP_QUIC) gekoppeld aan IPv6-services of servicegroepen gekoppeld aan IPv6-servers
  • NetScaler ADC en NetScaler Gateway 13.1, 14.1, 13.1-FIPS en NDcPP: LB virtual servers van het type (HTTP, SSL of HTTP_QUIC) gekoppeld aan DBS IPv6-services of servicegroepen gekoppeld aan IPv6 DBS-servers
  • CR virtual server van het type HDX
De kwetsbaarheid CVE-2025-7776 (CVSS 8.8) wordt veroorzaakt door een memory overflow die leidt tot onvoorspelbaar of foutief gedrag en denial-of-service. Hiervoor moet de NetScaler geconfigureerd zijn als Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) met een PCoIP-profiel eraan gekoppeld.
De kwetsbaarheid CVE-2025-8424 (CVSS 8.7) wordt veroorzaakt door onjuiste toegangscontrole op de NetScaler Management Interface. Exploitatie is mogelijk als toegang tot NSIP, Cluster Management IP, lokale GSLB Site IP of SNIP met Management Access mogelijk is.
 
De volgende versies van NetScaler ADC en NetScaler Gateway zijn kwetsbaar:
  • NetScaler ADC en NetScaler Gateway 14.1 vóór 14.1-47.48
  • NetScaler ADC en NetScaler Gateway 13.1 vóór 13.1-59.22
  • NetScaler ADC 13.1-FIPS en 13.1-NDcPP vóór 13.1-37.241-FIPS en NDcPP
  • NetScaler ADC 12.1-FIPS en NDcPP vóór 12.1-55.330-FIPS en NDcPP
Versies 12.1 en 13.0 van NetScaler ADC en NetScaler Gateway zijn ook kwetsbaar. Let op: deze systemen zijn End of Life (EOL) en het wordt aangeraden om te upgraden naar een ondersteunde versie. Daarnaast zijn ook Secure Private Access on-premises of hybride implementaties met NetScaler-instances kwetsbaar.
 
Impact
Wij schatten de impact van deze kwetsbaarheden als hoog in, omdat ze een kwaadwillende in staat stellen om ongeauthenticeerde remote code execution en/of denial-of-service uit te voeren.
 
Risico
Wij schatten het risico als hoog in, vanwege de populariteit van NetScaler ADC en NetScaler Gateway en het brede gebruik van deze apparaten. Citrix heeft aangegeven dat CVE-2025-7775 actief wordt misbruikt.
 
Mitigatie
Klanten die NetScaler ADC en NetScaler Gateway gebruiken, worden sterk geadviseerd om zo snel mogelijk de relevante updates te installeren:
  • NetScaler ADC en NetScaler Gateway 14.1-47.48 en latere versies
  • NetScaler ADC en NetScaler Gateway 13.1-59.22 en latere versies van 13.1
  • NetScaler ADC 13.1-FIPS en 13.1-NDcPP 13.1-37.241 en latere versies van 13.1-FIPS en 13.1-NDcPP
  • NetScaler ADC 12.1-FIPS en 12.1-NDcPP 12.1-55.330 en latere versies van 12.1-FIPS en 12.1-NDcPP
Wat moet u doen?
Wij raden aan om NetScaler ADC en NetScaler Gateway zo snel mogelijk te updaten naar een van de hierboven genoemde versies als u een kwetsbare versie gebruikt.
 
Wat doet Northwave?
Klanten van Vulnerability Management worden geïnformeerd als kwetsbare systemen in hun infrastructuur worden gedetecteerd.
Wij blijven de ontwikkelingen rondom deze kwetsbaarheid volgen. Als er nieuwe kritieke informatie beschikbaar komt, nemen wij contact met u op. U kunt ons bellen of e-mailen als u aanvullende informatie wenst.
 
E-mail: soc@northwave-cybersecurity.com
Heeft u nu een incident? Bel ons Incident Response Team: 00800 1744 0000
Disclaimer van toepassing, zie hieronder.
 
Bronnen
 
 

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We will not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.
 
.