Cloud Software Group has released a security bulletin warning customers of two newly identified vulnerabilities, CVE-2025-5349 and CVE-2025-5777, affecting both NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).
CVE-2025-5349 has been classified as an improper access control issue affecting the NetScaler Management Interface. This flaw allows unauthorized users to potentially gain elevated access if they can connect via NSIP, Cluster Management IP, or the local GSLB Site IP. It has been assessed under the Common Weakness Enumeration (CWE) as CWE-284 and has been assigned a CVSS v4.0 base score of 8.7, signaling a high-severity vulnerability.
The second vulnerability, CVE-2025-5777, results from insufficient input validation, leading to a memory overread condition. The flaw is exploitable only when NetScaler is configured as a Gateway, such as through VPN virtual servers, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers. This issue is classified under CWE-125: Out-of-bounds Read, with a CVSS v4.0 base score of 9.3, making it even more critical than the first.
Affected Versions
The following versions of NetScaler ADC and NetScaler Gateway are impacted:
- Versions 14.1 before 14.1-43.56
- Versions 13.1 before 13.1-58.32
- 13.1-FIPS and 13.1-NDcPP before build 13.1-37.235-FIPS and NDcPP
- 12.1-FIPS before build 12.1-55.328-FIPS
It is important to note that versions 12.1 and 13.0 are now designated as End of Life (EOL). As a result, these versions are no longer supported and are vulnerable to both CVE-2025-5349 and CVE-2025-5777. Customers still operating on these legacy builds are strongly encouraged to migrate to currently supported versions immediately.
Additionally, organizations using Secure Private Access in on-premises or hybrid deployment modes that rely on NetScaler instances are also affected. Cloud Software Group emphasizes that these setups must also be upgraded to the specified secure builds to ensure complete protection.
Remediation for CVE-2025-5349 and CVE-2025-5777
To address these critical vulnerabilities, Cloud Software Group advises customers to upgrade to the following versions:
- NetScaler ADC and NetScaler Gateway 14.1-43.56 or later
- NetScaler ADC and NetScaler Gateway 13.1-58.32 or later
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 or later
- NetScaler ADC 12.1-FIPS 12.1-55.328 or later
After upgrading, administrators are also advised to terminate all active ICA and PCoIP sessions using the following commands to ensure no lingering session-based vulnerabilities:
bash
CopyEdit
kill icaconnection -all
kill pcoipConnection -all
These commands should be run only after all appliances in an HA pair or cluster are fully updated to the secure builds.
These vulnerabilities specifically impact customer-managed instances of Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Customers utilizing Citrix-managed cloud services or Citrix Adaptive Authentication do not need to take action, as Cloud Software Group handles all necessary updates for those environments.
Conclusion
Cloud Software Group extended its appreciation to Positive Technologies and ITA MOD CERT (CERTDIFESA) for their collaborative efforts in identifying and disclosing these vulnerabilities responsibly. Their cooperation played a vital role in enabling a timely and effective response to protect end-users.
Given the severity of CVE-2025-5349 and CVE-2025-5777, organizations using NetScaler ADC and NetScaler Gateway cannot afford to delay. With one vulnerability granting elevated access and the other enabling memory-based exploits, attackers could gain control over affected systems. Upgrading to the latest supported versions is not only recommended but essential for maintaining a secure enterprise infrastructure.
