Cloud Software program Group has disclosed a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and NetScaler Gateway merchandise.
Tracked as CVE-2025-12101, the flaw permits attackers to inject malicious scripts into net pages seen by customers, probably resulting in session hijacking, knowledge theft, or unauthorized actions.
The vulnerability carries a reasonable CVSSv4 rating of 5.9, highlighting its community accessibility however reliance on consumer interplay.
NetScaler ADC, previously Citrix ADC, and NetScaler Gateway function vital utility supply controllers and safe distant entry options for 1000’s of organizations worldwide.
They deal with VPN connections, load balancing, and authentication, making them prime targets for risk actors. This XSS problem stems from improper neutralization of enter throughout net web page era, categorized below CWE-79.
Citrix NetScaler ADC and Gateway Vulnerability
Exploitation requires particular configurations: the NetScaler should function as a Gateway (together with VPN digital server, ICA Proxy, CVPN, or RDP Proxy) or an AAA digital server for authentication.
Affected variations embody NetScaler ADC and Gateway 14.1 earlier than 14.1-56.73, 13.1 earlier than 13.1-60.32, 13.1-FIPS and NDcPP earlier than 13.1-37.250-FIPS and NDcPP, and 12.1-FIPS and NDcPP earlier than 12.1-55.333-FIPS and NDcPP.
Notably, variations 12.1 and 13.0 have reached end-of-life (EOL) standing, leaving them perpetually susceptible with out assist. Prospects utilizing Safe Non-public Entry on-premises or hybrid deployments with NetScaler cases face related dangers and should improve these parts.
The advisory applies solely to customer-managed home equipment; Cloud Software program Group handles updates for its managed cloud providers and Adaptive Authentication.
To detect publicity, directors ought to examine their NetScaler configurations for authentication digital servers (e.g., “add authentication vserver .*”) or Gateway setups (e.g., VPN-related instructions).
Whereas no energetic exploitation has been reported, the flaw’s simplicity might appeal to opportunistic attackers, particularly in environments with unpatched legacy programs.
Cloud Software program Group urges quick motion: improve to patched releases akin to NetScaler ADC and Gateway 14.1-56.73 or later, 13.1-60.32 or later for 13.1, 13.1-37.250 or later for FIPS/NDcPP variants, and 12.1-55.333 or later the place relevant.
EOL customers ought to migrate to supported variations to mitigate dangers. The corporate offers fixes with out cost however emphasizes that the data is obtainable “as is,” with no warranties on system influence.
This disclosure arrives amid heightened scrutiny of provide chain and distant entry vulnerabilities, reminding enterprises to prioritize well timed patching of their safety postures. As risk landscapes evolve, common configuration audits and model administration stay important defenses.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
