You are currently viewing RelayState Ruse: Exploiting Reflected XSS in Citrix NetScaler

RelayState Ruse: Exploiting Reflected XSS in Citrix NetScaler

  • Post author:
  • Reading time:3 mins read

In the realm of cybersecurity, it’s not uncommon to stumble upon vulnerabilities while dissecting a system during the pursuit of reproducing an N-day. Security researchers at watchTowr Labs recently encountered such a scenario while analyzing CitrixBleed2 (CVE?2025?5777), which affected Citrix NetScaler appliances. During their analysis, they identified two vulnerabilities: a memory leak (WT-2025-0089) and a reflected cross-site scripting (XSS) vulnerability (CVE-2025-12101 or WT-2025-0090). While the memory leak was deemed a non-issue by Citrix, the reflected XSS vulnerability poses a potential risk.

Vulnerability Details

The identified reflected XSS vulnerability, CVE-2025-12101, exists within the single sign-on (SSO) flows of Citrix NetScaler, specifically affecting the RelayState parameter. This parameter is used during the authentication process to maintain the user’s session state between the identity provider and the service provider. The vulnerability arises due to the improper handling of the RelayState parameter at the /cgi/logout endpoint.

The attack can be carried out via a Cross-Site Request Forgery (CSRF) attack, since the /cgi/logout endpoint accepts HTTP POST requests that include a valid SAMLResponse and a modified RelayState. By crafting a malicious HTTP POST request, an attacker can inject arbitrary HTML and JavaScript code into the RelayState parameter to be executed within the user’s browser session.

Proof of Concept (PoC)

The following HTTP POST request demonstrates how to trigger the XSS vulnerability by injecting JavaScript code into the RelayState parameter:

POST /cgi/logout HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Host: target
Content-Type: application/x-www-form-urlencoded
Content-Length: 1629
SAMLResponse=[BASE64-SAML-Response]&RelayState=<@base64><https://<custom-domain>.com/></@base64>

Affected Products

The reflected XSS vulnerability CVE-2025-12101 affects the following products:

  • NetScaler ADC and NetScaler Gateway? 14.1?before 14.1-56.73
  • NetScaler ADC and NetScaler Gateway? 13.1?before 13.1-60.32
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.250-FIPS and NDcPP
  • NetScaler ADC 12.1-FIPS and NDcPP before 12.1-55.333-FIPS and NDcPP

Citrix NetScaler ADC and Gateway are application delivery and security appliances that provide load balancing, traffic management, and security features for web applications.

Impact & Exploit Potential

Successful exploitation of the reflected XSS vulnerability CVE-2025-12101 could have significant consequences. An attacker could execute arbitrary JavaScript code within the context of the user’s session, leading to:

  • Session hijacking: Gaining unauthorized access to a user’s session and sensitive data.
  • Defacement: Altering the appearance of the web page to mislead or harm users.
  • Redirection to malicious sites: Redirecting users to phishing or malware distribution sites.

Mitigation & Recommendations

Upgrade your Citrix products to the patches given by the vendor:

  • NetScaler ADC and NetScaler Gateway 14.1-56.73, 13.1-60.32 or later
  • NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.250 or later
  • NetScaler ADC 12.1-FIPS and NDcPP 12.1-55.333 or later

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.