Citrix Warns Authentication Failures Following The Update of NetScaler to Fix Auth Vulnerability

Citrix has issued an urgent advisory warning customers of widespread authentication failures following recent updates to NetScaler builds 14.1.47.46 and 13.1.59.19.

The updates, released as part of the company’s ongoing secure-by-design initiative, have inadvertently caused significant disruption to enterprise authentication systems across multiple organizations worldwide.

The authentication failures manifest as broken login pages and complete inability to access NetScaler Gateway portals, particularly affecting environments utilizing DUO configurations based on RADIUS authentication, SAML implementations, and custom Identity Provider (IDP) configurations.

Organizations relying on these authentication methods have reported complete service outages, forcing IT teams to implement emergency workarounds to maintain business continuity.

The root cause has been identified as the automatic enablement of Content Security Policy (CSP) headers by default in the latest NetScaler builds.

While CSP headers are designed to mitigate cross-site scripting (XSS) and code injection attacks, their sudden activation has created compatibility issues with existing authentication scripts and third-party integrations that were functioning properly before the update.

Citrix analysts identified the issue stems from the strict CSP rules blocking legitimate scripts and resources that were previously allowed to execute without restrictions.

The policy’s restrictive nature, while enhancing security against browser-based threats, has proven incompatible with many custom authentication configurations that enterprises have deployed over time, creating an unexpected security versus functionality conflict.

Technical Resolution and Mitigation

To address the immediate crisis, Citrix has provided a temporary workaround requiring administrators to disable the default CSP header through the NetScaler command-line interface.

The resolution involves executing specific commands on affected systems:-

set aaa parameter -defaultCSPHeader DISABLED
save ns config

Additionally, administrators must flush the cache using the command flush cache contentgroup loginstaticobjects to ensure immediate implementation of changes across all affected authentication systems.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now