What vulnerabilities did Citrix patch in NetScaler ADC and Gateway?

Citrix addressed two security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products: CVE-2025-5777 (CVSS 9.3) for insufficient input validation leading to memory overread, and CVE-2025-5349 (CVSS 8.7) for improper access control on the NetScaler Management Interface.

What is CVE-2025-5777?

CVE-2025-5777 (CVSS score 9.3) is a vulnerability caused by insufficient input validation leading to memory overread. It could lead to the exposure of sensitive data through memory overread conditions. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, and no authentication is required to exploit this flaw.

What is CVE-2025-5349?

CVE-2025-5349 (CVSS score 8.7) is a vulnerability involving improper access control on the NetScaler Management Interface. It allows unauthorized users to potentially gain elevated access to the NetScaler Management Interface. This vulnerability requires access to NSIP, Cluster Management IP, or local GSLB Site IP as a precondition for exploitation.

Which NetScaler versions are affected by these vulnerabilities?

The affected versions include NetScaler ADC and Gateway 14.1 BEFORE 14.1-43.56, 13.1 BEFORE 13.1-58.32, NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP, and NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS.

What are the patched versions for these NetScaler vulnerabilities?

Cloud Software Group recommends upgrading to NetScaler ADC and Gateway 14.1-43.56 and later releases, 13.1-58.32 and later releases of 13.1, NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases, and NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS.

Does CVE-2025-5777 require authentication to exploit?

No, CVE-2025-5777 does not require authentication to exploit, making it particularly dangerous. Attackers can potentially exploit this memory overread vulnerability without needing valid credentials, which significantly increases the risk for exposed NetScaler instances.

What configurations are vulnerable to CVE-2025-5777?

CVE-2025-5777 affects NetScaler products that must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Systems not configured in these modes are not vulnerable to this specific flaw.

What are the potential impacts of these NetScaler vulnerabilities?

CVE-2025-5777 could lead to exposure of sensitive data through memory overread conditions, while CVE-2025-5349 could allow unauthorized users to gain elevated access to the NetScaler Management Interface. Both vulnerabilities could potentially compromise the security and integrity of NetScaler deployments and the networks they protect.

Why should organizations prioritize patching these NetScaler vulnerabilities?

Organizations should prioritize patching because CVE-2025-5777 has a critical CVSS score of 9.3 and requires no authentication to exploit, making it extremely dangerous for internet-facing NetScaler instances. CVE-2025-5349 also poses significant risk with a CVSS score of 8.7. NetScaler systems are often critical infrastructure components that protect and manage access to enterprise networks, making their compromise particularly damaging.

Advisory

Critical vulnerabilities discovered in Citrix NetScaler ADC and Gateway products

Q: Do these vulnerabilities affect all NetScaler deployments?

No, these security flaws affect customer-managed NetScaler ADC and NetScaler Gateway instances. Organizations using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are automatically patched and do not require manual intervention.

Q: Are older NetScaler versions still supported?

No, Cloud Software Group has emphasized that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 have reached End of Life (EOL) status and are no longer receiving security updates. Organizations using these versions should prioritize upgrading to supported versions.

published: June 23, 2025

Take action: If you have self-hosted Citrix NetScaler ADC or Gateway, check if your version is still supported and apply the security patches. This is especially important if your Citrix functions as a gateway/VPN server. Take note that versions 12.1 and 13.0 are end-of-life with no fixes available. After patching, restart all active user sessions to clear any potential compromises from these critical vulnerabilities.

Learn More

Citrix has patched addressed two security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. The security flaws affect customer-managed NetScaler ADC and NetScaler Gateway instances. Organizations using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are automatically patched

Vulnerabilities summary

CVE-2025-5777 (CVSS score 9.3) insufficient input validation leading to memory overread . It could lead to the exposure of sensitive data through memory overread conditions. This vulnerability affects NetScaler products that must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. No authentication is required to exploit this flaw.
CVE-2025-5349 (CVSS score 8.7) improper access control on the NetScaler Management Interface. It allows unauthorized users to potentially gain elevated access to the NetScaler Management Interface. This vulnerability requires access to NSIP, Cluster Management IP, or local GSLB Site IP as a precondition for exploitation.

The following supported versions of NetScaler ADC and NetScaler Gateway are impacted by these vulnerabilities:

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS

Cloud Software Group has emphasized that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 have reached End of Life (EOL) status and are no longer receiving security

Cloud Software Group strongly urges affected customers to install the following updated versions immediately:

NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases
NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS

Additionally, Cloud Software Group recommends running commands to terminate all active ICA and PCoIP sessions after upgrading all NetScaler appliances in high availability pairs or clusters to the fixed builds. This ensures that any potentially compromised sessions are cleared following the security update.

Critical vulnerabilities discovered in Citrix NetScaler ADC and Gateway products

Read More
Critical Sudo vulnerabilities enable local privilege escalation to …
Progress Software Patches Critical RCE Chain in ShareFile …
Citrix releases update for Citrix Hypervisor to remove …
Fortinet warns users that FortiClientEMS flaw is actively …
Cisco VPN in ASA and FTD unpatched vulnerability …