There’s a bunch of new Netscaler vulns being exploited as zero days. Patches just out now.
Preauth RCE being used to drop webshells to backdoor orgs. CVE-2025-7775 is the main problem.
Orgs will need to do IR afterwards as technical details emerge of backdoor.
The NCSC have published an advisory on CVE-2025-7775 (CitrixDeelb), saying it is highly likely it will be mass exploited:
https://advisories.ncsc.nl/2025/ncsc-2025-0268.html
They've also published a script to check for post exploitation, i.e. backdoor access which persists post patching: https://github.com/NCSC-NL/citrix-2025/blob/main/live-host-bash-check/TLPCLEAR_check_script_cve-2025-6543-v1.8.sh
Cloud Software Group, who own Netscaler, have published their own blog about CVE-2025-7775 (CitrixDeelb)
...however they've incorrectly said it applies to IPv6 setups only. This is wrong. They've missed the "OR" statements from their own advisory.
Kevin Beaumont
faebudo