The NVD entry for CVE-2025-7775 describes a memory overflow vulnerability in NetScaler ADC and NetScaler Gateway that can yield remote code execution or denial of service when specific virtual server roles are enabled, records a CVSS v4.0 Base score of 9.2 with the vector AV:N/AC:H/AT:P/PR:N/UI:N and a CVSS v3.1 Base score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and notes that CISA added the issue to its Known Exploited Vulnerabilities catalog on 2025-08-26 with a 2025-08-28 remediation due date for U.S. federal networks.

The MITRE CVE Program record mirrors the vendor-contributed description and confirms Citrix as the CNA of record, which anchors provenance for the vulnerability’s naming and scope.

The vendor’s primary notice is the Citrix advisory, issued on 2025-08-26, which discloses three NetScaler issues and highlights CVE-2025-7775 as the critical bug with observed exploitation against unmitigated appliances.

Operationally useful details appear in the NetScaler blog post, published on 2025-08-26 under Cloud Software Group branding, which enumerates the independent preconditions that broaden exposure beyond traditional remote access use cases: devices are vulnerable when configured as a Gateway virtual server for VPN, ICA Proxy, Clientless VPN, or RDP Proxy; when configured as an AAA virtual server; when running load-balancing virtual servers of type HTTP, SSL, or HTTP_QUIC bound to IPv6 services or to Domain-Based Service (DBS) IPv6 services; and when configured with a cache redirection virtual server of type HDX.

The same vendor post states there are no mitigations available and directs administrators to upgrade immediately, and it lists the fixed builds as 14.1-47.48 and later for standard 14.1 releases, 13.1-59.22 and later for 13.1, 13.1-37.241 and later for FIPS and NDcPP builds, and 12.1-55.330 and later for FIPS and NDcPP builds, which matches the affected-to-fixed mapping that a government partner summarized the following day in the Canadian Centre for Cyber Security alert.

The same 2025-08-26 disclosure cadence is reflected in the U.S. government notice titled “CISA Adds One Known Exploited Vulnerability to Catalog”, which formally places CVE-2025-7775 in the KEV program and obligates federal remediation on an accelerated timeline relative to routine vulnerabilities.

Third-party incident response teams corroborated the “exploited” status on publication; the Tenable analysis notes that exploitation had been observed prior to public patches while also stating that, as of 2025-08-26, no public proof-of-concept was available, and the Rapid7 emergence blog emphasizes that the vendor’s scoring implies an unauthenticated network attack with high attack complexity under CVSS v4.0.

Two companion flaws disclosed by Citrix the same day are relevant for defenders assembling patch plans because they affect the same product family but with different preconditions; the CVE-2025-7776 record describes another memory overflow that yields erroneous behavior or denial of service when a Gateway virtual server has a PCoIP profile bound, and the CVE-2025-8424 record documents improper access control on the management interface when an attacker can reach NSIP, a Cluster Management IP, a local GSLB Site IP, or a SNIP with management access.

Exposure also compounds when prior issues remain unremediated, as illustrated by the “CitrixBleed 2” discussions around the CVE-2025-5777 record, which centers on insufficient input validation leading to memory overread in Gateway or AAA configurations and shows how small parsing issues in edge appliances can cascade into token theft and follow-on compromise in adjacent systems.

Classifying the NetScaler overflow within weakness taxonomy matters for programmatic hardening because the vendor and database entries map it to CWE‑119, a broad class for out‑of‑bounds memory access that frequently enables control‑flow hijacking when writes are reachable and that often results in process crashes even in read-only scenarios.

A short digression on severity helps explain why headlines and dashboards varied between “critical 9.8” and “critical 9.2” in the first twenty‑four hours: CVSS v4.0 adds an Attack Requirements metric to capture target‑side conditions the attacker cannot influence and refines the notion of impact on vulnerable versus subsequent systems, which the FIRST specification sets out explicitly; Citrix’s v4.0 vector uses AC:H and AT:P to register that exploitation is unauthenticated and network‑reachable but dependent on specific virtual server roles or IPv6 bindings, while NVD’s parallel v3.1 vector compresses those conditions into AC:L because version 3.1 lacks an Attack Requirements dimension even though it retains the same unauthenticated network reachability and full impact on confidentiality, integrity, and availability.

From a systems point of view, the attack surfaces flagged by the vendor are the ones that parse and transform untrusted session metadata at the very edge of the network, which explains why Gateway and AAA virtual servers, HTTP and HTTP_QUIC termination with IPv6 and DNS‑based service bindings, and the HDX cache redirection path sit on the vulnerability’s execution path; those features collectively accept, normalize, and route inputs that an adversary can shape across encryption and transport boundaries, which is precisely where memory‑safety defects are most dangerous in a high‑performance C/C++ codebase.

Because the affected product is proprietary and the advisory does not disclose function‑level details, there is no upstream patch diff to analyze and no commit history to inspect, which limits root‑cause certainty to the vendor’s classification and to the behavior‑level description in public databases; that constraint is typical for network edge appliances and it places extra weight on release notes, affected‑to‑fixed version maps, and configuration‑based exposure checks rather than code archaeology.

The vendor’s guidance is upgrade‑centric for this case, and the operational workflow is documented both in the blog post and in the NetScaler Automation and Orchestration tooling; the NetScaler ADM remediation page describes a one‑step upgrade path for impacted instances and, importantly, surfaces inventory views that align to the same Gateway, AAA, load‑balancing IPv6, and HDX cache redirection conditions that define exposure.

Asset exposure was material on day one according to open‑source measurement; reporting that cites Shadowserver’s continuous Internet scans counted more than 28,200 reachable NetScaler instances vulnerable to CVE‑2025‑7775 on 2025‑08‑27, which is summarized in the BleepingComputer coverage that links to the underlying telemetry dashboard and aligns with the vendor’s statement that no mitigations beyond upgrading were available.

Taken together, the evidence forms a coherent picture of a memory‑safety flaw in a performance‑sensitive, externally exposed code path that turns on when particular roles and IPv6 features are present, that was exploited before disclosure, and that did not lend itself to simple configuration‑only suppression; when the exploit conditions are deeply entangled with the roles a device is expected to play, inventory accuracy and build discipline, not ad‑hoc filters, become the deciding factors in whether an organization absorbs the blast or quietly sidesteps it by moving to a fixed release immediately.

References

• NVD: CVE-2025-7775
• MITRE CVE Program: CVE-2025-7775
• Citrix advisory CTX694938
• NetScaler blog: critical security update
• Canadian Centre for Cyber Security alert AL25-011
• CISA: Adds One Known Exploited Vulnerability to Catalog (2025-08-26)
• Tenable analysis of CVE-2025-7775
• Rapid7: CVE-2025-7775 exploited in the wild
• NVD: CVE-2025-7776
• NVD: CVE-2025-8424
• NVD: CVE-2025-5777
• CWE-119 definition
• FIRST: CVSS v4.0 Specification
• NetScaler ADM: remediate CVE-2025-7775
• BleepingComputer: 28,200 NetScaler instances vulnerable