Citrix Bleed 3? Attackers are already exploiting new security vulnerabilities

Contents

Almost two months to the day after the "Citrix Bleed 2" security flaw became known, users of NetScaler ADC and Gateway appliances are once again facing trouble. The manufacturer is reporting three problems, one of which is critical. Admins should check whether their devices are affected – Citrix has published handouts on this.

Vulnerable software

The affected firmware versions do not differ, according to Citrix, they are:

• NetScaler ADC and NetScaler Gateway 14.1 prior to version 14.1-47.48,
• NetScaler ADC and NetScaler Gateway 13.1 before version 13.1-59.22,
• NDcPP and FIPS certified versions NetScaler ADC "13.1-FIPS and NDcPP" before version number "13.1-37.241-FIPS and NDcPP" and
• NDcPP- and FIPS-certified versions NetScaler ADC "12.1-FIPS and NDcPP" before "12.1-55.330-FIPS and NDcPP"

However, all three vulnerabilities are not exploitable in the default settings, but under certain conditions. For the most severe of the three security flaws, a memory overflow with the subsequent possibility of injecting code (CVE-2025-7775, CVSS4 9.2/10, severity critical), one of four preconditions must be met, as Citrix explains further in the advisory:

• NetScaler must be configured as a gateway – this should apply to a large majority of devices,
• or the NDcPP/FIPS-certified version must offer load balancing services for HTTP/QUIC in IPv6,
• or NetScaler is configured as a virtual CR server (cache redirection) of type HDX.

However, the two less critical vulnerabilities also have a high potential for damage. CVE-2025-7776 (CVSS 8.8, severity high) can destabilize the device, but requires a configuration as a gateway with a PCoIP profile (PC over Internet Protocol). CVE-2025-8424 (CVSS4 8.7/10, severity"high"), on the other hand, gives attackers access to protected files. To do this, however, they need access to the appliance's management interface, which according to Citrix is usually protected with access lists (ACLs) or an external authentication solution.

Updates available

Admins should now quickly check whether their devices are affected. This can be done by checking the configuration file "ns.conf" for the necessary preconditions – Citrix explains how to do this in a support article.

The following firmware versions are sealed:

• NetScaler ADC / NetScaler Gateway 14.1-47.48 and later,
• NetScaler ADC / NetScaler Gateway 13.1-59.22 and later versions of the tree 13.1,
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later versions of 13.1-FIPS and 13.1-NDcPP, and
• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later versions of 12.1-FIPS and 12.1-NDcPP.

Active attacks – Is Citrix Bleed 3 a threat?

Citrix states that the critical vulnerability CVE-2025-7775 is already under active attack. The US cyber security authority CISA also warned of attack attempts in its "Known Exploited Vulnerabilities" list (KEV) late in the evening of August 26.

It is therefore advisable to install updates as soon as possible – the last Citrix vulnerability was unpleasantly escalated and is still being exploited. It was nicknamed "Citrix Bleed 2" and had the CVE ID CVE-2025-5777. The new critical vulnerability now reverses this numerical code, turning 5777 into 7775 – an interesting coincidence.

Vigilance is always required, as such flaws always carry the potential for mass exploitation by cybercriminals such as ransomware gangs. Whether a "Citrix Bleed 3" is imminent remains to be seen.

(cku)