The U.S. Cybersecurity and Information Security Agency (CISA) has added two Citrix vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog just as new Citrix vulnerabilities emerge – one of which is actively being exploited.
The vulnerabilities added to the KEV catalog on August 25 are rated medium severity (5.1) and were patched in November 2024. They are:
- CVE-2024-8069: a Citrix Session Recording Deserialization of Untrusted Data vulnerability
- CVE-2024-8068: a Citrix Session Recording Improper Privilege Management vulnerability
Per the agency’s standard practice, CISA did not provide any details on how the vulnerabilities are being exploited. The agency also added one additional vulnerability to the KEV catalog on August 25: CVE-2025-48384, an 8.0-severity Git Link Following vulnerability.
New NetScaler Vulnerability Exploited
Citrix issued a bulletin on August 26 warning of an actively exploited zero-day vulnerability in NetScaler ADC and NetScaler Gateway – the third NetScaler vulnerability to be targeted by hackers in two months.
Of the three vulnerabilities in the bulletin – CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 – Citrix noted that “Exploits of CVE-2025-7775 on unmitigated appliances have been observed.” CISA added CVE-2025-7775 to its KEV catalog within hours of the Citrix bulletin.
Security researcher Kevin Beaumont said in a Mastodon post that CVE-2025-7775 in particular is being exploited “to drop webshells to backdoor orgs.”
Organizations will have to perform incident response “as technical details emerge of [the] backdoor,” he said.
CVE-2025-7775 is a 9.2-rated memory overflow vulnerability leading to Remote Code Execution or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, or meets other virtual server conditions.
CVE-2025-7776 is an 8.8-rated memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service, and CVE-2025-8424 is an 8.7-severity improper access control flaw on the NetScaler Management Interface.
Affected NetScaler ADC and NetScaler Gateway customers are urged to update to patched versions as soon as possible. Updated versions include:
- NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are End Of Life (EOL) and no longer supported, Citrix said, and customers are urged to upgrade their appliances to a supported version.
Secure Private Access on-prem and Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities and must be upgraded.
Citrix acknowledged the work of security researchers Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partner GmbH, and François Hämmerli.
Other Recent Exploited Citrix Vulnerabilities
NetScaler ADC and NetScaler Gateway vulnerabilities were also targeted by hackers in June and July. CISA added CVE-2025-6543 to the KEV catalog on June 30, and CVE-2025-5777 on July 10.
CVE-2025-5777 has been dubbed “Citrix Bleed 2” by some because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966).
CVE-2025-5777, a 9.3-rated Out-of-bounds Read vulnerability, was reportedly exploited as early as June 23, nearly two weeks before a public proof-of-concept (PoC) was released on July 4, and almost three weeks before it was added to the KEV catalog.
