You are currently viewing Critical Flaws in NetScaler ADC & Gateway: CVE-2025-5349 and CVE-2025-5777

Critical Flaws in NetScaler ADC & Gateway: CVE-2025-5349 and CVE-2025-5777

Two critical vulnerabilities have been identified in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), posing significant risks to enterprise networks. Let’s dive into the details of CVE-2025-5349 and CVE-2025-5777 and the necessary steps for remediation.

Vulnerability Overview

The identified vulnerabilities, CVE-2025-5349 and CVE-2025-5777, are critical and require immediate attention. Here’s a summary:

  • CVE-2025-5349 – Improper Access Control: This vulnerability involves improper access control on the NetScaler Management Interface. An attacker with access to the Network Services IP (NSIP), Cluster Management IP, or local Global Server Load Balancing (GSLB) Site IP could exploit this flaw to gain unauthorized, elevated access to critical management functions.
  • CVE-2025-5777 – Insufficient Input Validation: This vulnerability stems from insufficient input validation, leading to a memory overread condition. It affects systems configured as Gateway services, such as VPN virtual servers, ICA Proxy, Citrix Virtual Private Network (CVPN), Remote Desktop Protocol (RDP) Proxy, or Authentication, Authorization, and Accounting (AAA) virtual servers. Successful exploitation could allow attackers to read sensitive memory contents, including credentials and configuration data.

These vulnerabilities have been assigned CVSS v4.0 base scores of 8.7 and 9.3, respectively, highlighting their high severity.

Affected Versions

The following versions of NetScaler ADC and NetScaler Gateway are affected:

  • 14.1 before 14.1-43.56
  • 13.1 before 13.1-58.32
  • 13.1-FIPS and 13.1-NDcPP before build 13.1-37.235-FIPS and NDcPP
  • 12.1-FIPS before build 12.1-55.328-FIPS

It is particularly concerning that versions 12.1 and 13.0 are now designated as End of Life (EOL) and are no longer supported. These versions are vulnerable to both CVE-2025-5349 and CVE-2025-5777, with no security patches available.

The potential impact of these vulnerabilities is significant:

  • Unauthorized Access: Attackers can gain elevated access to critical management functions via CVE-2025-5349, potentially leading to system compromise.
  • Data Leakage: Successful exploitation of CVE-2025-5777 can allow attackers to read sensitive memory contents, including credentials and configuration data, enabling further malicious activities.

Organizations running affected NetScaler ADC and Gateway deployments are at risk of unauthorized access and data leakage, which can be exploited remotely.

Impact & Exploit Potential

Exploiting these vulnerabilities enables remote attackers without authentication to gain access to NetScaler’s management interfaces (NSIP, CLIP, or GSLB IP), effectively bypassing access controls. This can lead to unauthorized administrative access, allowing attackers to compromise the confidentiality, integrity, and availability of the management layer, as well as extract sensitive information like credentials, session tokens, or configuration details. Since no user interaction is needed, this represents a serious threat to network infrastructure.

Mitigation & Remediation

To address these critical vulnerabilities, Cloud Software Group recommends the following actions:

  1. Upgrade NetScaler ADC and Gateway: Upgrade to the following versions:
    • 14.1-43.56 or later
    • 13.1-58.32 or later
    • 13.1-FIPS and 13.1-NDcPP 13.1-37.235 or later
    • 12.1-FIPS 12.1-55.328 or later
  2. Terminate Active Sessions: After upgrading, terminate all active ICA and PCoIP sessions using the following commands:kill icaconnection -all kill pcoipConnection -allThese commands should be run only after all appliances in an HA pair or cluster are fully updated to the secure builds.

Customers using Citrix-managed cloud services receive automatic updates from Cloud Software Group, requiring no additional action.

Tactics, Techniques, and Procedures (TTPs)

The MITRE ATT&CK framework can help understand how these vulnerabilities might be exploited:

  • TA0001 – Initial Access: Exploitation of remote services to gain initial entry.
  • TA0004 – Privilege Escalation: Exploiting improper access controls to gain elevated privileges.
  • TA0006 – Credential Access: Accessing sensitive credentials and configuration data through memory overread.
  • T1190 – Exploitation of Remote Services: Exploiting vulnerabilities in remote services to execute arbitrary commands.
  • T1068 – Improper Access Control: Bypassing access controls to perform unauthorized actions.
  • T1003 – Credential Dumping: Obtaining account credentials and related information.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.