2:00pm, 24 June 2025
TLP Rating:
CVE-2025-5349 and CVE-2025-5777 affecting Citrix Netscaler products.
CVE-2025-5777 (CVSS 9.3): An insufficient input validation leading to memory overread vulnerability. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
CVE-2025-5349 (CVSS 8.7): An improper access control vulnerability in the NetScaler Management Interface.
What's happening
Systems affected
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) but are also vulnerable.
What this means
Organisations who utilise affected NetScaler ADC and NetScaler Gateway versions could be vulnerable to the listed vulnerability.
What to look for
How to tell if you're at risk
If you are running a NetScaler ADC and NetScaler Gateway instance within the listed versions.
What to do
Prevention
Update to the latest version of NetScaler ADC and NetScaler Gateway.
More information
Vendor Advisory
CITRIX | Support External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ
For media enquiries, email our media desk at media@ncsc.govt.nz.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.