Citrix has released urgent fixes for three vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical remote code execution (RCE) zero-day tracked as CVE-2025-7775. The flaw, caused by a memory overflow, allows unauthenticated attackers to execute code remotely on affected appliances. Citrix confirmed active exploitation of unpatched systems and warned that no temporary mitigations exist, making updates the only effective protection.
Healthcare organizations are particularly exposed since NetScaler appliances are widely used to support secure VPN access, remote medical systems, and telehealth portals. The flaw impacts devices configured as Gateways (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers, as well as those using IPv6 load-balancing services. CR virtual servers configured for HDX are also vulnerable. Administrators are strongly urged to validate their environments and apply the fixed firmware immediately.
Citrix Netscaler ADC. Source: citrix.com.
In addition to the critical zero-day, Citrix also addressed CVE-2025-7776, another memory overflow bug that can cause denial of service, and CVE-2025-8424, an improper access control issue on the management interface. While indicators of compromise have not been released, attackers are already targeting exposed NetScaler appliances.
This latest zero-day follows closely on the heels of “Citrix Bleed 2” (CVE-2025-5777) disclosed in June, which allowed attackers to read sensitive data from memory and was exploited in real-world attacks before proof-of-concept code was made public. The repeated exploitation of Citrix vulnerabilities highlights the high value attackers place on healthcare’s remote access systems, which, if compromised, could expose patient data, disrupt care delivery, or enable large-scale fraud.
Healthcare security teams should prioritize patching Citrix NetScaler appliances immediately, as exploitation is already underway and no workarounds exist. Beyond applying updates, administrators should review configurations for unnecessary exposure, restrict management access, and increase monitoring for unusual login activity or traffic spikes that could indicate compromise. Given the sector’s reliance on NetScaler for telehealth and remote access, delayed patching could lead to breaches with direct impact on patient safety, confidentiality, and critical healthcare operations. Rapid response and rigorous patch management are essential to protect both data and care delivery.
