This alert has been written for technical IT services supporting organisations, such as critical infrastructure, and government.
Background
ASD’s ACSC is aware of multiple vulnerabilities impacting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products:
• CVE-2025-7775 (Critical) involves a memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service.
• CVE-2025-7776 (High) involves a memory overflow vulnerability leading to unpredictable or erroneous behaviour and Denial of Service.
• CVE-2025-8424 (High) involves improper access control on the NetScaler Management Interface.
The following versions of NetScaler ADC and NetScaler Gateway are affected:
• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
• NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
Citrix reports active exploitation of these vulnerabilities has been observed.
Mitigation advice
Australian organisations should review their networks for use of vulnerable instances of NetScaler ADC and NetScaler Gateway.
Updated software versions are available for affected NetScaler products.
Citrix’s Security Bulletin should be consulted for advice on detecting and updating vulnerable instances of these products.
Additional details are also available at Critical security update announced for NetScaler Gateway and NetScaler.
Where to get help
Organisations that have been impacted, suspect impact or require advice and assisstance can contact us via 1300 CYBER1 (1300 292 371).