28,000+ Citrix Servers Still Unpatched: CVE‑2025‑7775 Exploit Active Since Aug 26

Breaking News Summary

• Shadowserver scans show over 28,200 internet‑exposed Citrix NetScaler ADC/Gateway instances still vulnerable to CVE‑2025‑7775, with exploitation active since Aug 26. Geographic hotspots include the U.S. and Germany, indicating widespread lag in emergency patching.heise+1

• CISA added CVE‑2025‑7775 to the KEV catalog and set a remediation deadline of today, Aug 28, for U.S. federal agencies, underscoring the urgent risk profile of this edge‑device RCE.securityaffairs

Global Exposure Snapshot

• Shadowserver‑reported vulnerable instances: 28,200+ as of Aug 26.bleepingcomputer+1

• Noted concentrations: United States (>10,000) and Germany (>4,300); additional exposure in UK, Netherlands, Switzerland per media summaries of Shadowserver’s feeds.securityaffairs+1

Technical Details

• CVE‑2025‑7775: Memory overflow enabling unauthenticated RCE/DoS on NetScaler ADC/Gateway; exploitation observed in the wild.nvd.nist+1

• Exploitable configurations: NetScaler configured as Gateway/AAA; or LB vServers (HTTP/SSL/HTTP_QUIC) bound to IPv6 services/DBS IPv6; or CR vServer type HDX.thehackernews

• Affected versions prior to fixed builds: 14.1 < 14.1‑47.48; 13.1 < 13.1‑59.22; 13.1‑FIPS/NDcPP < 13.1‑37.241; 12.1‑FIPS/NDcPP ≤ 12.1‑55.330.tenable+1

Immediate Actions

• Patch now: Upgrade to 14.1‑47.48+, 13.1‑59.22+, or corresponding FIPS/NDcPP builds; no official workarounds are provided.thehackernews+1

• Reduce exposure: If patching is delayed, remove/limit IPv6 LB bindings, geofence Gateway/AAA, and strictly block management plane from the internet.securityaffairs+1

SIEM Detection Rules (starter ideas)

• Surge detection: Alert on off‑hours spikes in requests to Gateway/AAA and IPv6‑bound LB vServers; create separate baselines for IPv6 sources.heise+1

• Error/crash correlation: Flag sudden NetScaler service restarts/core dumps alongside anomalous HTTP/QUIC request patterns from new ASNs.bleepingcomputer+1

• Egress anomalies: Detect unusual outbound connections or data volume from NetScaler subnets to rare external IPs immediately after spikes in inbound probes.securityaffairs+1

Patch Verification Steps

• Check build: After upgrade, verify build equals or exceeds 14.1‑47.48 or 13.1‑59.22 (or noted FIPS/NDcPP builds) in system information.tenable+1

• Vendor console: Use NetScaler/Cloud Software Group console advisory module (CVE Detection > Impacted Instances) to confirm remediation state post‑scan.netscaler

• Smoke tests: Validate Gateway/AAA auth, LB vServer health (IPv4/IPv6), and WAF policies; confirm no external exposure of NSIP/Cluster/GSLB/SNIP with management access.thehackernews

Emergency Mitigation (if not yet patched)

• Restrict: Geofence AAA/Gateway to trusted IPs; rate‑limit auth endpoints; temporarily disable nonessential IPv6 LB vServers or unbind IPv6 services.heise+1

• Shield: Apply upstream WAF anomaly rules for oversized headers/params and malformed QUIC/HTTP/2 frames while patching proceeds.thehackernews

• Monitor: 24x7 watch for inbound scanning bursts and immediate egress; prepare incident response for rapid isolation if anomalies are detected.bleepingcomputer+1

FAQ

• Is CVE‑2025‑7775 exploited now? Yes, active since Aug 26 per vendor and researchers.bleepingcomputer+1

• What’s the federal deadline? CISA KEV due date is Aug 28, 2025, for U.S. agencies; private orgs should meet the same urgency.securityaffairs

• Can mitigations replace patching? No official workarounds; patching is mandatory. Use mitigations only as temporary risk reduction.securityaffairs+1

• How to confirm closure? Verify build numbers, run NetScaler console’s CVE scan, and re‑scan externally with Shadowserver‑style checks.netscaler+1

• Rollback and continuity? Stage a tested rollback image, maintain HA pairs during upgrade, and schedule rolling maintenance with health probes to avoid downtime.thehackernews