Advisory 88: Critical vulnerabilities in Citrix Netscaler ADC and NetScaler Gateway Products
Release Date: 26th of June 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations who utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
Citrix has identified the following vulnerabilities affecting the Netscaler ADC and NetScaler Gateway products.
- CVE-2025-5777: Insufficient input validation leading to memory overread, potentially leading to the exposure of sensitive data.
This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. - CVE-2025-5349: Improper access control on the NetScaler Management Interface.
Which product version is affected?
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and are vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Mitigation process
Vanuatu organisations should review their networks for use of vulnerable instances of the NetScaler ADC and NetScaler Gateway products, and consult Citrix's customer advisory Citrix Security Advisory for mitigation advice.
NOTE: If needed assistance, please contact CERTVU via email:
References
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&artic%5B%E2%80%A6%5Dteway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777=
- https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-citrix-netscaler-adc-and-netscaler-gateway-products
- Download advisory (English): Critical vulnerabilities in Citrix Netscaler ADC and NetScaler Gateway Products