Critical Citrix NetScaler ADC and Gateway Vulnerabilities Expose Sensitive Data to Attackers

A critical security bulletin addressing two significant vulnerabilities in NetScaler ADC and NetScaler Gateway that could enable attackers to access sensitive data and compromise network infrastructure.

The vulnerabilities, designated as CVE-2025-5349 and CVE-2025-5777, affect multiple versions of the widely-deployed network appliances and carry CVSS scores of 8.7 and 9.3 respectively, indicating severe security risks requiring immediate attention.

The first vulnerability, CVE-2025-5349, represents an improper access control vulnerability in the NetScaler Management Interface that allows unauthorized access to critical system functions.

This vulnerability specifically targets the NetScaler IP (NSIP), Cluster Management IP, or local Global Server Load Balancing (GSLB) Site IP addresses, potentially giving attackers administrative control over affected systems.

The vulnerability falls under the CWE-284 category for improper access control and carries a CVSS v4.0 base score of 8.7.

The second and more severe vulnerability, CVE-2025-5777, stems from insufficient input validation that leads to memory overread conditions.

This vulnerability affects NetScaler systems configured as Gateway services, including VPN virtual servers, ICA Proxy, Citrix Virtual Private Network (CVPN), Remote Desktop Protocol (RDP) Proxy, or Authentication, Authorization, and Accounting (AAA) virtual servers.

With a CVSS v4.0 base score of 9.3, this out-of-bounds read vulnerability poses significant risks to data confidentiality and system integrity.

Citrix NetScaler ADC and Gateway Vulnerabilities

The vulnerabilities impact several supported NetScaler versions, including NetScaler ADC and Gateway 14.1 versions prior to 14.1-43.56, and 13.1 versions before 13.1-58.32.

Additionally, specialized FIPS-compliant and NDcPP certified versions are affected, with NetScaler ADC 13.1-FIPS and NDcPP requiring updates to 13.1-37.235 or later, and NetScaler ADC 12.1-FIPS needing upgrades to 12.1-55.328 or later.

Organizations operating end-of-life versions 12.1 and 13.0 face particular risks, as these systems remain vulnerable without available patches.

Cloud Software Group emphasizes that customers using these deprecated versions must migrate to supported releases to address the security gaps.

The vulnerabilities also affect Secure Private Access on-premises and hybrid deployments utilizing NetScaler instances, requiring comprehensive infrastructure updates.

Mitigations

Cloud Software Group strongly recommends immediate deployment of updated NetScaler versions to remediate these critical vulnerabilities.

Organizations should prioritize upgrading to NetScaler ADC and Gateway 14.1-43.56, 13.1-58.32, or their respective FIPS-compliant equivalents.

Following successful upgrades across high-availability pairs or clusters, administrators should execute specific commands to terminate active ICA and PCoIP sessions, ensuring complete remediation.

The security bulletin acknowledges contributions from Positive Technologies and ITA MOD CERT (CERTDIFESA) for responsible disclosure practices.

While Cloud Software Group manages updates for Citrix-managed cloud services automatically, customers with self-managed deployments must take immediate action to prevent potential exploitation of these vulnerabilities, which could result in unauthorized data access and system compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.