A critical zero-day remote code execution (RCE) vulnerability, tracked as CVE-2025-7775, is affecting over 28,000 Citrix instances worldwide.
The flaw is being actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog.
The Shadowserver Foundation discovered that as of August 26, 2025, more than 28,200 servers remain unpatched, with the highest concentrations of vulnerable systems located in the United States and Germany.
Vulnerable servers by country
Citrix has released patches and urges administrators to apply them immediately to prevent system compromise. The active exploitation of this vulnerability poses a significant threat, as it allows unauthenticated attackers to execute arbitrary code on affected servers, potentially leading to full system takeover, data theft, and further network infiltration.
CVE-2025-7775: A Critical RCE Flaw
Remote code execution vulnerabilities are among the most severe security flaws, and CVE-2025-7775 is no exception. It allows a remote attacker, without needing any credentials, to run malicious code on a vulnerable Citrix server.
Vulnerability DetailsInformationCVE IDCVE-2025-7775Vulnerability TypeUnauthenticated Remote Code Execution (RCE)StatusActively Exploited in the Wild (CISA KEV)Affected InstancesOver 28,200 (as of Aug 26, 2025)Primary MitigationApply patches from Citrix Security Bulletin CTX694938Top Affected CountriesUnited States, Germany
This level of access could enable threat actors to deploy ransomware, install backdoors for persistent access, exfiltrate sensitive corporate data, or use the compromised server as a pivot point to attack other systems within the network.
The “zero-day” designation indicates that attackers were exploiting the flaw before an official patch was made available by Citrix. This gave threat actors a critical window of opportunity to compromise exposed systems.
Given the widespread use of Citrix products for secure remote access and application delivery in enterprise environments, the potential impact of this vulnerability is substantial. A successful exploit could disrupt business operations and result in significant financial and reputational damage.
The confirmation of in-the-wild exploitation by CISA underscores the urgency for immediate action. By adding CVE-2025-7775 to the KEV catalog, CISA has mandated that U.S. Federal Civilian Executive Branch (FCEB) agencies patch their systems by a specified deadline, a directive that all organizations should follow.
The widespread nature of the vulnerability, affecting tens of thousands of servers globally, means that automated attacks are likely to escalate as more attackers weaponize the exploit.
Citrix has published a security bulletin, CTX694938, which contains the necessary patch information and guidance. The primary and most effective mitigation is to apply the updates to all affected instances without delay.
For organizations that cannot patch immediately, it is crucial to review server logs for any indicators of compromise (IoCs), such as unusual processes or outbound network connections.
Isolating vulnerable servers from the internet and deploying web application firewall (WAF) rules to block exploit attempts can serve as temporary compensating controls.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
The post 28,000+ Citrix Servers Exposed to Active 0-Day RCE Vulnerability Exploited in the Wild appeared first on Cyber Security News.
