Cloud Software Group has disclosed a cross-site scripting (XSS) vulnerability affecting NetScaler ADC and NetScaler Gateway platforms.
The flaw, tracked as CVE-2025-12101, poses a moderate security risk to organizations relying on these network appliances for authentication and secure access services.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-12101 |
| Vulnerability Type | Cross-Site Scripting (XSS) |
| CWE Classification | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| CVSS v4.0 Score | 5.9 (Medium) |
Vulnerability Overview
The vulnerability enables attackers to inject malicious scripts into web pages served by affected NetScaler instances.
If successfully exploited, the flaw could allow threat actors to execute arbitrary code in users’ browsers, potentially leading to session hijacking, credential theft, or malware distribution.
The attack requires specific configurations and user interaction to succeed, limiting its immediate threat.
The vulnerability impacts multiple NetScaler versions across different product lines. Organizations running NetScaler ADC and Gateway versions 14.1 before 14.1-56.73 or version 13.1 before 13.1-60.32 are particularly vulnerable.
Additionally, FIPS-compliant versions, including 13.1-FIPS (pre-13.1-37.250) and 12.1-FIPS (pre-12.1-55.333), are affected.
Notably, end-of-life versions 12.1 and 13.0 remain vulnerable, though official support has been discontinued.
Cloud Software Group has also identified that Secure Private Access, on-premises and in hybrid deployments using NetScaler instances, is susceptible to this flaw.
The vulnerability only manifests when NetScaler is configured as a Gateway with specific virtual server types, including VPN, ICA Proxy, CVPN, or RDP Proxy.
Authentication servers using AAA virtual servers are also vulnerable. Organizations must verify their configurations to determine exposure.
The vulnerability carries a CVSSv4 score of 5.9, classified as medium severity. The attack vector is network-based, requiring low attack complexity and user interaction.
Successfully exploiting the flaw could result in high-impact confidentiality violations, with limited integrity and availability impacts. The weakness is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation.
Cloud Software Group strongly recommends immediate patching for affected installations. Organizations should upgrade to NetScaler ADC and Gateway version 14.1-56.73 or later, or version 13.1-60.32 and later releases.
Administrators managing FIPS-compliant deployments should update to the corresponding patched versions.
Customers running end-of-life versions should prioritize migration to supported platforms, as these installations receive no ongoing security updates.
Cloud Software Group is automatically upgrading managed cloud services, so customers using Citrix-managed cloud solutions do not need to take any manual action.
The vulnerability was discovered by Sina Kheirkhah of watchTowr and Dylan Pindur of Assetnote, who worked collaboratively with Cloud Software Group to ensure timely remediation before public disclosure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.