The Australian Signals Directorate’s Australian Cyber Security Centre has issued a critical alert for technical IT services supporting organisations, such as critical infrastructure, and government.
Multiple vulnerabilities have been reported, impacting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products:
- CVE-2025-7775 (Critical) involves a memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service.
- CVE-2025-7776 (High) involves a memory overflow vulnerability leading to unpredictable or erroneous behaviour and Denial of Service.
- CVE-2025-8424 (High) involves improper access control on the NetScaler Management Interface.
The following versions of NetScaler ADC and NetScaler Gateway are affected:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
Citrix reports active exploitation of these vulnerabilities has been observed.
Australian organisations should review their networks for use of vulnerable instances of NetScaler ADC and NetScaler Gateway.
Updated software versions are available for affected NetScaler products.
Citrix’s Security Bulletin should be consulted for advice on detecting and updating vulnerable instances of these products.
Additional details are also available at Critical security update announced for NetScaler Gateway and NetScaler
Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371).
Read this alert on the website: Multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway devices | Cyber.gov.au
