Citrix vulnerability CVE-2025-7775 exposes critical security risks

PorYehuda Abramson

The scale of the Citrix vulnerability

More than 28,000 Citrix NetScaler ADC and Gateway instances are currently exposed to a critical vulnerability tracked as CVE-2025-7775. This flaw allows remote code execution (RCE) and is already being exploited in the wild. With a CVSS score of 9.2, the issue ranks among the most severe threats to enterprise infrastructure in 2025. The scale of exposure highlights how quickly attackers are leveraging newly discovered weaknesses. Organizations running outdated Citrix firmware are at high risk, especially in environments handling sensitive corporate or governmental data.

Technical details and affected systems

The flaw emerges when NetScaler is configured as a Gateway or AAA virtual server, including VPN, ICA Proxy, CVPN, and RDP Proxy. It also affects load-balancing virtual servers that use HTTP, SSL, or HTTP_QUIC linked to IPv6 or DBS IPv6 services. This configuration allows attackers to execute arbitrary code, potentially taking control of the underlying systems. Citrix has confirmed that no workarounds exist, and immediate firmware updates are the only reliable protection.

Global exposure and critical regions

Security researchers have identified more than 28,200 vulnerable instances worldwide. The United States leads the list with over 10,000 exposed servers, followed by Germany with more than 4,300. The United Kingdom, France, and Australia also show significant numbers of unpatched systems. The widespread exposure underlines how global enterprises often delay updates, leaving mission-critical infrastructure open to exploitation. Attackers are known to scan the internet rapidly, meaning unpatched systems are likely already being targeted.

Urgent action required by administrators

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog. Agencies and contractors are required to apply patches by August 28, 2025, or discontinue the use of affected devices. For private companies, the urgency is equally critical. Administrators should update Citrix firmware immediately, audit exposed systems, and monitor for signs of exploitation. Delays could result in compromised data centers, service outages, and regulatory consequences.

Source: BleepingComputer