CitrixDeelb: What the Latest Citrix vulnerabilities mean for TPRM

Author : Ferdi Gül
Contributor: Hakan Karabacak

Highlights:

• What: Three NetScaler ADC/Gateway flaws—CVE-2025-7775, CVE-2025-7776, CVE-2025-8424—collectively dubbed CitrixDeelb. One is being exploited in the wild. At the time of writing, CVE-2025-7775 carries a CVSS v4.0 score of 9.2 (Critical) with an EPSS likelihood of 7.67%, CVE-2025-7776 holds a CVSS score of 8.8 (High) with an EPSS of 0.04%, and CVE-2025-8424 is rated at CVSS 8.7 (High) with an EPSS of 0.03%.
• When: Citrix published the bulletin on August 26, 2025; CVE-2025-7775 was added to CISA KEV the same day (due date: August 28, 2025).
• Who’s affected: Customer-managed NetScaler ADC/Gateway builds before 14.1-47.48, 13.1-59.22, 13.1-37.241 (FIPS/NDcPP), and 12.1-55.330 (FIPS/NDcPP). EOL 12.1/13.0 aren’t fixed—migrate.
• Threat activity: Active exploitation of 7775; no confirmed public attribution yet. Expect web-shell drops on exposed gateways.

Do now: Patch to fixed builds, restrict management plane, verify configs (Gateway/AAA/IPv6 LB/HDX), and hunt retroactively back to August 1, 2025 for pre-patch activity.

What Happened & Why It Matters

On August 26, 2025, Citrix (Cloud Software Group) disclosed three NetScaler ADC/Gateway bugs. The headline is CVE-2025-7775, a memory overflow enabling pre-auth RCE/DoS that attackers are already using against unpatched appliances. CISA added 7775 to KEV the same day with a due date of August 28 for federal agencies—an unusually tight turnaround that reflects real-world exploitation.

This is not PoC chatter. Reporting and the KEV entry confirm exploitation; Citrix’s bulletin emphasizes no mitigations beyond upgrading. Operationally, these devices often sit at the remote-access edge—if a supplier leaves them exposed, compromise can become a quick path to your apps and data.

Technical Breakdown

CVE-2025-7775 — Memory overflow → pre-auth RCE/DoS

• Attack surface / auth: Pre-auth on Gateway/AAA; also possible via specific IPv6 load-balancing paths or HDX CR.
• Affected builds (fix or later): 14.1-47.48; 13.1-59.22; 13.1-37.241 (FIPS/NDcPP); 12.1-55.330 (FIPS/NDcPP).
• Conditions: Vulnerable if Gateway (VPN/ICA Proxy/CVPN/RDP Proxy) or AAA vServer is enabled; or LB vServer (HTTP/SSL/HTTP_QUIC) with IPv6; or CR vServer type HDX.
• Exploitation: Active exploitation of this flaw has been confirmed in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on August 26, 2025. At this time, no public proof-of-concept code (PoC) has been released for now. We expect it to be published soon.
• Threat activity / actors: No attribution publicly confirmed as of August 27, 2025. Reports note web-shell deployment on compromised gateways.
• Detection ideas: Hunt unusual requests to /vpn/, /cgi/, /menu/ with odd headers and large payloads near crash windows; inspect for unexpected files on the appliance.

Splunk (example):

index=netscaler OR sourcetype=citrix:ns("POST" OR "GET") ("/vpn/" OR "/cgi/")| stats count, values(cs_User_Agent) by src_ip, uri, status, _time| where status IN (500, 502) OR like(uri,"%/menu/%")

CVE-2025-7776 — Memory overflow → DoS/unpredictable behavior

• Attack surface / auth: Pre-auth; requires Gateway with PCoIP profile bound.
• Affected builds (fix or later): Same fixed trains as above.
• Exploitation: Not confirmed publicly as of writing. Public PoC: Not confirmed.
• Detection: Look for gateway crashes coincident with PCoIP traffic and spikes in RST to PCoIP destinations.

CVE-2025-8424 — Improper access control on management interface

• Attack surface / auth: Pre-auth but requires network access to NSIP/Cluster Mgmt IP/GSLB Site IP/SNIP w/ mgmt access.
• Affected builds (fix or later): Same fixed trains as above.
• Exploitation: Not listed in KEV as of this writing; no public PoC. Priority remains high due to management-plane impact.
• Mitigation: Keep management on trusted nets only; verify no internet exposure; restrict to jump hosts and enforce IP allowlists.

Citrix table note: The “conditions” above are summarized from the Citrix security bulletin (CTX694938) that lists exact pre-conditions and fixed versions. Always validate against the official table.

Version Fingerprinting Note (for hunters)

“vhash” was a hash that appeared on the NetScaler/Citrix ADC login portal for a time, uniquely identifying a specific build. It was common in the early-to-mid versions of 12.1 and 13.1 but was mostly removed in new revisions around 2023, so it’s generally absent in later 13.1 and 14.1 releases. For this reason, the practical version fingerprint for a significant portion of the vulnerable ranges now relies on the mtime (Unix epoch) timestamp in the GZIP header of the rdx_en.json.gz file. The file is typically read from /vpn/js/rdx/core/lang/rdx_en.json.gz (or the shortcut /rdx_en.json.gz in some installations), and the mtime is a reliable proxy for version mapping as it accurately represents the build time. Examples (all within the specified ranges): for 13.1-33.51, where the old-style vhash still exists, vhash=5e939302a9d7db7e35e63a39af1c7bec, rdx_en=1667233903; for 12.1-55.297, vhash=28e592a607e8919cc6ca7dec63590e04, rdx_en=1688747367. In contrast, newer lines lack the vhash but still have the timestamp: for 14.1-4.42, rdx_en=1690503901, and for 13.1-49.13, rdx_en=1689014191. (Since vhash is rarely present in public sources for FIPS/NDcPP branches, the rdx_en mtime should also be used for version verification in these lines.)

For additional examples and a continuously updated mapping set, see this public gist.

Threat Actors & Campaign Notes

• Observed: Active exploitation of CVE-2025-7775 prior to patch release.
• Attribution: Not confirmed publicly as of August 27, 2025.
• Context: Recent Citrix NetScaler campaigns showed large numbers of unpatched instances and scanning spikes; expect similar opportunistic targeting.

Impact on Third-Party Risk

• Why suppliers matter: ADC/Gateway appliances terminate remote access and often hold session material. A single unpatched vendor edge can enable lateral movement into your data.
• Business impact: Downtime, credential/session theft, and persistence via web shells on gateway VIPs can disrupt operations and incident containment across your vendor chain.

What to Ask Your Vendors (TPRM)

Ask for clear, evidence-backed answers:

•  Exact Citrix product and build (e.g., 13.1-59.22) in production, DR, and test.
•  Which features are enabled (Gateway/AAA/IPv6 LB/HDX, PCoIP).
•  Patch status for CVE-2025-7775/7776/8424 with dates and screenshots or CLI output.
•  Exposure profile: internet-facing VIPs, geos, auth posture (MFA/SSO), allowlists.
•  Management plane controls: NSIP/Cluster IP not routable from internet; jump hosts only.
•  WAF/reverse proxy policies and rate limits applied to Gateway/AAA.
•  Monitoring sources (ADC/Gateway logs, WAF, NDR, EDR) and retro-hunt window back to August 1, 2025.
•  Signs of compromise: web-shell checks, unexpected files, unexplained restarts/crashes.
•  Incident status & customer impact statement (if any).
•  Compensating controls and next review date for Citrix exposure.

Recommended Actions This Week

Internal teams

1. Patch to 14.1-47.48 / 13.1-59.22 / 13.1-37.241 (FIPS/NDcPP) / 12.1-55.330 (FIPS/NDcPP).
2. Restrict management plane (NSIP/Cluster/GSLB/SNIP-mgmt) to trusted networks.
3. Hunt back to August 1, 2025: crashes, anomalous /vpn/ requests, and unexpected files on the appliance.
4. If PCoIP is used, review Gateway bindings; after upgrade, terminate active sessions.

Third-party oversight

1. Issue a focused questionnaire (build numbers, configs, exposure, logs).
2. Require evidence links (ticket, change record, build output).
3. Track remediation to closure and re-verify in 72 hours with fresh evidence.

How Black Kite Helps

Black Kite FocusTags™ convert breaking technical findings into supplier-level actions. For CitrixDeelb, tags isolate vendors running affected NetScaler builds, prioritize internet-facing remote-access nodes, and provide ready-to-send question sets that request version evidence, config details, and timelines. Remediation is tracked against the Citrix FocusTag, and exports flow cleanly into your ticketing or GRC so owners stay accountable as advisories—and KEV—update.

References

• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
• https://nvd.nist.gov/vuln/detail/CVE-2025-7775
• https://nvd.nist.gov/vuln/detail/CVE-2025-7776
• https://nvd.nist.gov/vuln/detail/CVE-2025-8424
• https://www.infosecurity-magazine.com/news/citrix-patch-netscaler-zero-days/
• https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
• https://thehackernews.com/2025/08/citrix-patches-three-netscaler-flaws.html
• https://www.cisa.gov/news-events/alerts/2025/08/26/cisa-adds-one-known-exploited-vulnerability-catalog
• https://www.darkreading.com/vulnerabilities-threats/citrix-zero-day-under-active-attack
• https://www.helpnetsecurity.com/2025/08/26/netscaler-adc-gateway-zero-day-exploited-by-attackers-cve-2025-7775/
• https://github.com/NCSC-NL/citrix-2025