Citrix NetScaler appliances are once again the target of active exploitation. On August 26, 2025, Citrix published a security advisory CTX694938 describing three critical vulnerabilities. Most notably is CVE‑2025‑7775, which is already being exploited in the wild.
Organizations should now assume that appliances exposed to the Internet may have already been compromised, even if no symptoms are visible.
Summary of Critical CVEs
| CVE-ID | CVSS | Description |
| CVE‑2025‑7775 | 9.2 |
Memory overflow enabling unauthenticated RCE / DoS |
| CVE‑2025‑7776 | 8.8 |
Memory overflow leading to erratic behavior / DoS |
| CVE‑2025‑8424 | 8.7 | Improper access control on the management interface |
Affected versions include all builds before:
- 1‑47.48
- 1‑59.22
- 1‑FIPS‑37.241
- 1‑FIPS‑55.330
A Proven Method: THOR for Agentless NetScaler Scanning
Nextron has repeatedly demonstrated the value of agentless compromise assessments on Citrix NetScaler appliances, most notably during CVE‑2023‑3519, and again now in the context of CVE‑2025‑7775.
With THOR, security teams can remotely scan appliances over SSH without installing software, agents, or modifying the system.
Key Benefits:
- Agentless compromise assessment via SSHFS
- YARA and IOC-based detection of webshells, backdoors, exploit traces
- Virtual host mapping for clean log attribution
- Resilient scanning: scan resumes after network disconnects
For a detailed how-to, refer to our previous post: How to Perform Compromise Assessments on NetScaler using THOR
First Matches Reported
Early compromise indicators consistent with CVE-2025-7775 exploitation have been reported in the field. THOR’s curated YARA rules and IOCs are designed to detect potential artifacts such as web shells or modified system files on affected appliances.
Who Should Take Action?
This approach is recommended for:
- CERTs / CSIRTs conducting incident response
- Service providers performing compromise assessments
- Organizations operating NetScaler appliances in perimeter roles
- Environments without EDR coverage on appliances
Licensing Requirements
To perform these scans, customers require a THOR Forensic Lab License, which enables:
- Scanning of mounted remote file systems
- Full signature coverage, including CVE-specific rules
- Advanced scan features: –lab, –virtual-map, –intense, and hostname mapping
Our Recommendation
- Patching is not enough. Appliances may have already been compromised.
- Think of scanning like monitoring your perimeter: it’s not a one-off task, but a continuous check to ensure that yesterday’s patch doesn’t hide today’s compromise.
- Scan externally facing NetScaler systems with THOR to detect any post-exploitation artifacts.
- Use Nextron’s YARA/IOC coverage to find what traditional AV/EDR products may miss.
With active exploitation of CVE‑2025‑7775 confirmed, organizations must move quickly to assess exposure.
THOR provides a proven and agentless solution for performing forensic compromise assessments on NetScaler appliances, a method already successfully applied in previous exploitation waves.
Need Assistance or a Walkthrough?
We are available to support you in setting up a scan or providing a demo of the NetScaler scanning methodology. Just contact us by filling out the form.
Maurice Fielenbach
Nextron Threat Research Team
Florian Roth
Marius Benthin
