ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to ...

Why Nostr? What is Njump? Join Nostr

The Shadowserver Foundation

npub1cl…yl628

2025-08-27 11:19:56 UTC

ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to CVE-2025-7775 RCE. There is exploitation in the wild confirmed by US CISA KEV list addition.

Patch info from Citrix: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938

Top affected: US, Germany

Dashboard geo breakdown: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=exchange&source=exchange6&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-7775%2B&data_set=count&scale=log&auto_update=on

IP data is being shared in our Vulnerable HTTP reporting https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ (tagged 'cve-2025-7775')

If you receive an alert from us investigate for compromise

You can track CVE-2025-7775 patching progress on our Dashboard at: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-7775%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on

Author Public Key

npub1cla6jlqwtg3hhhqlg7rdz0lxtgfr0u5ee6vndqr0pzdtszzvt9gsyyl628

Seen on

wss://relay.momostr.pink

Show more details

Published at

2025-08-27 11:19:56 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "781b049f5f570dbcf2158f5c69cf6174db980b825aff5c2edf4e4a59e76143f6", "pubkey": "c7fba97c0e5a237bdc1f4786d13fe65a1237f299ce9936806f089ab8084c5951", "created_at": 1756293596, "kind": 1, "tags": [ [ "imeta", "url https://media.infosec.exchange/infosec.exchange/media_attachments/files/115/100/456/735/893/197/original/d18ce5940dbfe1cc.png", "m image/png" ], [ "proxy", "https://infosec.exchange/@shadowserver/115100457149558908", "web" ], [ "proxy", "https://infosec.exchange/users/shadowserver/statuses/115100457149558908", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://infosec.exchange/users/shadowserver/statuses/115100457149558908", "pink.momostr" ], [ "-" ] ], "content": "ALERT: On 2025-08-26 over 28K Citrix NetScaler instances were unpatched to CVE-2025-7775 RCE. There is exploitation in the wild confirmed by US CISA KEV list addition.\n\nPatch info from Citrix: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938\n\nTop affected: US, Germany\n\nDashboard geo breakdown: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1\u0026source=exchange\u0026source=exchange6\u0026source=http_vulnerable\u0026source=http_vulnerable6\u0026tag=cve-2025-7775%2B\u0026data_set=count\u0026scale=log\u0026auto_update=on\n\nIP data is being shared in our Vulnerable HTTP reporting https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/ (tagged 'cve-2025-7775')\n\nIf you receive an alert from us investigate for compromise\n\nYou can track CVE-2025-7775 patching progress on our Dashboard at: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7\u0026source=http_vulnerable\u0026source=http_vulnerable6\u0026tag=cve-2025-7775%2B\u0026dataset=unique_ips\u0026limit=100\u0026group_by=geo\u0026stacking=stacked\u0026auto_update=on\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/115/100/456/735/893/197/original/d18ce5940dbfe1cc.png\n", "sig": "3a2d3dfa83d53e11629b4b1681cc99bcda5d2589dbf754d1a86985efd16d8d9a089bcf4de15d0d9b50b91e99b7d0b0d1d61656aa1f7f1532fb20a3d215687836" }