Critical Citrix NetScaler Flaws Expose ADC and Gateway Appliances
Citrix NetScaler ADC and NetScaler Gateway appliances are affected by multiple critical vulnerabilities that can expose organizations to compromise, including CVE-2025-5349, CVE-2025-5777, and CVE-2026-3055. The flaws impact supported NetScaler releases, while end-of-life versions 12.1 and 13.0 remain vulnerable without fixes. CVE-2025-5349 enables access-control bypass on the management interface, CVE-2025-5777 is an out-of-bounds read that can leak sensitive memory contents, and CVE-2026-3055 is an input-validation flaw that can lead to memory overwrite when NetScaler is configured as a SAML Identity Provider.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Citrix discloses CVE-2026-3055 in NetScaler ADC and Gateway
A March 2026 advisory disclosed CVE-2026-3055, a critical insufficient input validation flaw in supported NetScaler ADC and NetScaler Gateway versions that can enable memory overwrite. Exploitation is possible when NetScaler is configured as a SAML Identity Provider, and customers were advised to upgrade to fixed releases.
Citrix discloses new NetScaler flaws including CVE-2025-7775 and CVE-2025-8424
On 2025-08-26, a new advisory described multiple vulnerabilities affecting supported NetScaler ADC and NetScaler Gateway versions, including CVE-2025-7775, CVE-2025-5777, and CVE-2025-8424. Citrix urged immediate upgrades and noted that Secure Private Access on-prem and Hybrid instances using NetScaler are also affected, while end-of-life 12.1 and 13.0 versions remain vulnerable.
Proof-of-concept exploit for NetScaler flaws is published and used in attacks
By 7 August 2025, continued global exploitation of the NetScaler vulnerabilities was being observed, and a proof-of-concept exploit had been published and was actively used. Guidance recommended patching immediately, terminating active ICA and PCoIP sessions after updates, and reviewing logs for indicators of compromise.
Citrix discloses critical NetScaler flaws CVE-2025-5349 and CVE-2025-5777
A June 2025 advisory reported two critical vulnerabilities affecting supported NetScaler ADC and NetScaler Gateway versions: CVE-2025-5349, which can bypass access controls on the management interface, and CVE-2025-5777, an out-of-bounds read issue that can expose sensitive memory contents. Customers were urged to update to fixed versions, with end-of-life 12.1 and 13.0 versions noted as still vulnerable.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Kriittinen haavoittuvuus Citrix NetScaler ADC ja NetScaler Gateway -tuotteissa | Kyberturvallisuuskeskus
kyberturvallisuuskeskus.fi
Open sourceKriittinen haavoittuvuus Citrix NetScaler ADC ja NetScaler Gateway -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen haavoittuvuus Citrix NetScaler ADC ja NetScaler Gateway -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceCitrix NetScaler ADC ja NetScaler Gateway -tuotteissa kriittinen haavoittuvuus | Traficom
kyberturvallisuuskeskus.fi
Open sourceCitrix NetScaler ADC ja NetScaler Gateway -tuotteissa kriittinen haavoittuvuus | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen ja hyväksikäytetty haavoittuvuus NetScaler ADC ja NetScaler Gateway -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen haavoittuvuus NetScaler ADC ja NetScaler Gateway -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen haavoittuvuus NetScaler ADC ja NetScaler Gateway -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


