Cloud Software Group has disclosed a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and NetScaler Gateway products.
Tracked as CVE-2025-12101, the flaw allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, data theft, or unauthorized actions.
The vulnerability carries a moderate CVSSv4 score of 5.9, highlighting its network accessibility but reliance on user interaction.
NetScaler ADC, formerly Citrix ADC, and NetScaler Gateway serve as critical application delivery controllers and secure remote access solutions for thousands of organizations worldwide.
They handle VPN connections, load balancing, and authentication, making them prime targets for threat actors. This XSS issue stems from improper neutralization of input during web page generation, classified under CWE-79.
Citrix NetScaler ADC and Gateway Vulnerability
Exploitation requires specific configurations: the NetScaler must operate as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or an AAA virtual server for authentication.
Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-56.73, 13.1 before 13.1-60.32, 13.1-FIPS and NDcPP before 13.1-37.250-FIPS and NDcPP, and 12.1-FIPS and NDcPP before 12.1-55.333-FIPS and NDcPP.
Notably, versions 12.1 and 13.0 have reached end-of-life (EOL) status, leaving them perpetually vulnerable without support. Customers using Secure Private Access on-premises or hybrid deployments with NetScaler instances face similar risks and must upgrade those components.
The advisory applies solely to customer-managed appliances; Cloud Software Group handles updates for its managed cloud services and Adaptive Authentication.
To detect exposure, administrators should inspect their NetScaler configurations for authentication virtual servers (e.g., “add authentication vserver .*”) or Gateway setups (e.g., VPN-related commands).
While no active exploitation has been reported, the flaw’s simplicity could attract opportunistic attackers, especially in environments with unpatched legacy systems.
Cloud Software Group urges immediate action: upgrade to patched releases such as NetScaler ADC and Gateway 14.1-56.73 or later, 13.1-60.32 or later for 13.1, 13.1-37.250 or later for FIPS/NDcPP variants, and 12.1-55.333 or later where applicable.
EOL users should migrate to supported versions to mitigate risks. The company provides fixes without charge but emphasizes that the information is offered “as is,” with no warranties on system impact.
This disclosure arrives amid heightened scrutiny of supply chain and remote access vulnerabilities, reminding enterprises to prioritize timely patching in their security postures. As threat landscapes evolve, regular configuration audits and version management remain essential defenses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
