In a recent security bulletin, Cloud Software Group (formerly Citrix) disclosed a medium-severity vulnerability affecting NetScaler ADC and NetScaler Gateway products.
Identified as CVE-2025-12101, this cross-site scripting (XSS) flaw could allow attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking or data theft.
Published on November 11, 2025, the advisory (CTX695486) urges immediate patching for affected systems, highlighting risks in enterprise environments where these appliances serve as critical gateways for remote access and authentication.
NetScaler ADC and Gateway, widely used for application delivery, load balancing, and secure remote access, have long been targets for threat actors due to their exposure in perimeter networks.
This vulnerability underscores ongoing challenges in web application security, mainly as organizations rely on these tools for VPNs, ICA proxies, and AAA virtual servers.
While it does not enable remote code execution, the XSS issue could compromise user sessions if exploited, particularly in configurations that handle sensitive authentication traffic.
Understanding The Vulnerability
CVE-2025-12101 stems from improper neutralization of input during web page generation, classified under CWE-79.
Attackers could exploit it via network access if the NetScaler is configured as a Gateway such as a VPN virtual server, ICA Proxy, CVPN, or RDP Proxy or an AAA virtual server.
The CVSS v4 score of 5.9 reflects moderate risk: it requires low attack complexity (AV: N/AC:L) but user interaction (UI: A) for impact, with partial effects on confidentiality, integrity, and availability (VC:H/VI:L/VA:L/SC:L/SI: L/SA:L).
Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-56.73, 13.1 before 13.1-60.32, and FIPS/NDcPP variants before their respective patches (13.1-37.250 and 12.1-55.333).
Notably, versions 12.1 and 13.0 are end-of-life (EOL) and inherently vulnerable, leaving users without vendor support exposed to unpatched risks.
Secure Private Access deployments, both on-premises and hybrid, are also affected if they rely on vulnerable NetScaler instances.
Cloud-managed services from Citrix remain unaffected, as the company handles updates automatically.
This XSS variant doesn’t require authentication (PR: N), making it appealing for phishing or drive-by attacks in misconfigured setups.
Enterprises using NetScaler for remote workforces should audit configurations using commands such as “add authentication vserver .” or “add vpn vserver .” to identify potential exposures.
The flaw was responsibly disclosed by researchers Sina Kheirkhah from watchTowr and Dylan Pindur from Assetnote, who collaborated with Cloud Software Group to mitigate threats before public release.
Mitigation and Recommendations
Cloud Software Group recommends upgrading to patched releases immediately: NetScaler ADC/Gateway 14.1-56.73 or later, 13.1-60.32 or later, and corresponding FIPS/NDcPP builds.
EOL users must migrate to supported versions to address the vulnerability and future threats.
For verification, administrators can inspect configurations and apply updates via standard NetScaler procedures.
Beyond patching, best practices include enabling web application firewalls (WAF) on NetScaler to filter XSS payloads, restricting Gateway exposure to trusted networks, and monitoring for anomalous authentication attempts.
Organizations should subscribe to Citrix alerts and review the full bulletin at the Citrix Knowledge Center for changelog details.
This incident highlights the importance of timely upgrades in legacy systems.
As supply chain attacks evolve, proactive vulnerability management remains essential for safeguarding remote access infrastructures.
For support, contact Citrix Technical Support or report issues via their trust center.
.webp?w=356&resize=356,220&ssl=1 "CISA Alerts On Exploited WatchGuard Firebox Out-of-Bounds Write Vulnerability")
 disclosed a medium-severity vulnerability affecting NetScaler ADC){kind=link}