Urgent Security Alert: Critical Unauthenticated RCE Flaw in NetScaler ADC & Gateway (CVE-2025-7775)
A critical zero-day vulnerability, identified as CVE-2025-7775, has been discovered in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances. This flaw is currently being actively exploited in the wild, posing a severe and immediate threat to thousands of organizations worldwide. Due to its severity and the low complexity of exploitation, security teams must take immediate action to mitigate this risk.
This vulnerability allows for unauthenticated remote code execution (RCE), which is one of the most dangerous types of security flaws. In simple terms, it means an attacker requires no username, password, or any other form of authentication to gain complete control over a vulnerable system. By sending a specially crafted request to an exposed appliance, a remote threat actor can execute malicious code, effectively gaining a backdoor into the core of a corporate network.
Which Systems Are at Risk?
The vulnerability affects specific configurations of NetScaler ADC and Gateway. Your appliance is vulnerable if it is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
These configurations are commonly used to manage secure remote access for employees and control user authentication, placing them at the network perimeter. Their public-facing nature makes them a prime target for attackers, who are actively scanning the internet for unpatched devices. If your organization uses these NetScaler features, you should assume you are a target and proceed with immediate investigation and remediation.
How Attackers Are Exploiting the Vulnerability
Once an attacker successfully exploits CVE-2025-7775, they gain a foothold within the target’s network. The primary post-exploitation activity observed involves deploying web shells—malicious scripts that provide persistent remote access and a graphical interface for executing further commands.
With this level of access, attackers can:
- Steal sensitive session data and credentials stored on the device.
- Move laterally across the internal network to access other critical systems.
- Deploy ransomware or other malware payloads.
- Exfiltrate confidential company data.
The speed and scale of these attacks indicate that they are likely automated, meaning any vulnerable, internet-facing appliance is at high risk of being compromised.
Your Immediate Action Plan: How to Secure Your Appliances
Given the active exploitation of this zero-day, a rapid and thorough response is critical. Simply patching is not enough; you must also investigate for signs of an existing compromise.
1. Patch Immediately
The first and most crucial step is to apply the security updates provided by the vendor. Delaying this process leaves your organization exposed. Prioritize patching all internet-facing NetScaler appliances, followed by those on the internal network. Waiting for a scheduled maintenance window is not a viable option in the face of an active zero-day threat.
2. Hunt for Signs of Compromise
Because this vulnerability was exploited before a patch was available, you must assume your system has been compromised and actively search for evidence. Security teams should immediately begin forensic investigations on all vulnerable appliances.
Key indicators of compromise (IOCs) to look for include:
- Suspicious Files: Look for unknown
.php,.aspx, or other web shell files in NetScaler directories, particularly within/var/vpn/or/netscaler/log/. - Unusual Processes: Investigate any running processes that are not part of the standard NetScaler software. Attackers often use generic names to disguise malicious processes.
- Outbound Network Traffic: Analyze firewall and network logs for any unusual outbound connections from your NetScaler appliances. Attackers often use these connections to exfiltrate data or communicate with command-and-control (C2) servers.
- Gaps in Logs: Check for any unexplained gaps or modifications in system logs, as sophisticated attackers may attempt to cover their tracks by deleting evidence.
If any evidence of compromise is found, activate your incident response plan immediately. This may involve isolating the affected appliance, resetting all credentials, and conducting a wider investigation to determine the full extent of the breach. This proactive approach is essential for preventing a minor foothold from escalating into a major security incident.
Source: https://www.helpnetsecurity.com/2025/08/26/netscaler-adc-gateway-zero-day-exploited-by-attackers-cve-2025-7775/
