There’s a bunch of new Netscaler vulns being exploited as zero days. Patches just out now.
Preauth RCE being used to drop webshells to backdoor orgs. CVE-2025-7775 is the main problem.
Orgs will need to do IR afterwards as technical details emerge of backdoor.
The NCSC have published an advisory on CVE-2025-7775 (CitrixDeelb), saying it is highly likely it will be mass exploited:
https://advisories.ncsc.nl/2025/ncsc-2025-0268.html
They've also published a script to check for post exploitation, i.e. backdoor access which persists post patching: https://github.com/NCSC-NL/citrix-2025/blob/main/live-host-bash-check/TLPCLEAR_check_script_cve-2025-6543-v1.8.sh
Cloud Software Group, who own Netscaler, have published their own blog about CVE-2025-7775 (CitrixDeelb)
...however they've incorrectly said it applies to IPv6 setups only. This is wrong. They've missed the "OR" statements from their own advisory.
I've published scan results for CVE-2025-7775 (CitrixDeelb - which Bleed is spelt backwards as the CVE number is reverse of CitrixBleed2 
)
Columns = IP, SSL hostnames, firmware version, vulnerable to CVE-2025-7775 exploitation.
@GossiTheDog Yay, only 8 in Bulgaria, most of them belonging to foreign companies, 3 of them in the same company. A1 is a telecom; these are probably residential IPs - but maybe somebody ought to call the US bank and the German insurance company here and tell them that they have a little bit of a problem...
88.203.128.230,Bulgaria,Sofia,A1 Bulgaria EAD
195.191.94.244,Bulgaria,,Bulgarian-American Credit Bank JSC
92.247.124.120,Bulgaria,Sofia,Ultracom Ltd.
213.169.55.20,Bulgaria,,A1 Bulgaria EAD
91.216.174.52,Bulgaria,,ZAD Allianz Bulgaria AD
91.216.174.42,Bulgaria,,ZAD Allianz Bulgaria AD
91.216.174.53,Bulgaria,,ZAD Allianz Bulgaria AD
213.169.55.31,Bulgaria,,A1 Bulgaria EAD
Kevin Beaumont
VessOnSecurity