Over 21,000 Citrix systems vulnerable to active attacks

Over 21,000 Citrix systems vulnerable to active attacks

Briefly

The critical vulnerability in Citrix NetScaler affects more than 21,500 systems worldwide. CVE-2025-7775 is already being actively exploited by attackers, with 9,052 vulnerable instances located in Europe. The US cybersecurity organization CISA has added the NetScaler leak to its Known Exploited Vulnerabilities catalog, underscoring the seriousness of the situation. Due to the urgency, US federal agencies have until today (August 28) to install the patches or take the affected products out of service.

The fact that CVE-2025-7775 is already being actively exploited by attackers necessitates immediate action. However, Citrix has not shared any indicators of compromise, which makes it difficult to detect any compromises. Internet scans by security platform The Shadowserver Foundation show that 21,534 Citrix instances worldwide are currently vulnerable to the critical CVE-2025-7775 vulnerability. Most vulnerable instances are located in the United States (7,626), followed by Germany (3,196) and the United Kingdom (1,186).

CVE-2025-7775 affects various NetScaler versions: 14.1 for 14.1-47.48, 13.1 for 13.1-59.22, 13.1-FIPS/NDcPP for 13.1-37.241-FIPS/NDcPP, and 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP. The leak manifests itself when NetScaler is configured as a Gateway/AAA virtual server for VPN, ICA Proxy, CVPN, or RDP Proxy. Systems running as load balancer virtual servers bound to IPv6 or DBS IPv6 services may also be affected. Required actions Citrix has now released patches to fix the problem