Overview

• Citrix released fixes for three NetScaler flaws and confirmed in‑the‑wild exploitation of CVE‑2025‑7775, a memory overflow bug enabling pre‑auth remote code execution or denial of service.
• CISA added CVE‑2025‑7775 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal agencies to remediate by August 28 or discontinue use.
• Shadowserver counted more than 28,200 vulnerable instances soon after disclosure, dropping to about 13,000 a day later, with the largest concentrations in the United States and Germany.
• Researchers report CVE‑2025‑7775 has been used to plant webshells and backdoors, prompting warnings that patching should be paired with incident response and compromise hunting.
• Citrix says there are no workarounds or published IOCs and notes many affected appliances run end‑of‑life versions that require upgrades, alongside additional fixes for CVE‑2025‑7776 and CVE‑2025‑8424.