Citrix NetScaler ADC and Gateway Vulnerability Exposes Systems to Cross-Site Scripting Attacks
On November 12, 2025, Cloud Software Group disclosed a cross-site scripting (XSS) vulnerability affecting its NetScaler ADC and NetScaler Gateway products. This flaw, identified as CVE-2025-12101, enables attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, data theft, or unauthorized actions.
The vulnerability has been assigned a moderate Common Vulnerability Scoring System version 4 (CVSSv4) score of 5.9. This rating reflects the flaw’s network accessibility and its dependence on user interaction for exploitation.
Understanding the Impact
NetScaler ADC, formerly known as Citrix ADC, and NetScaler Gateway are critical components in many organizations’ IT infrastructures. They serve as application delivery controllers and secure remote access solutions, managing VPN connections, load balancing, and authentication processes. Given their central role, these products are attractive targets for cyber attackers.
The XSS vulnerability arises from improper neutralization of input during web page generation, a security issue categorized under CWE-79. Exploitation of this flaw requires specific configurations: the NetScaler must be operating as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server for authentication purposes.
Affected Versions and Configurations
The following versions of NetScaler ADC and Gateway are affected by this vulnerability:
– 14.1 before 14.1-56.73
– 13.1 before 13.1-60.32
– 13.1-FIPS and NDcPP before 13.1-37.250-FIPS and NDcPP
– 12.1-FIPS and NDcPP before 12.1-55.333-FIPS and NDcPP
It’s important to note that versions 12.1 and 13.0 have reached end-of-life (EOL) status. Systems running these versions are particularly vulnerable, as they no longer receive security updates or support. Organizations using Secure Private Access on-premises or hybrid deployments with NetScaler instances are also at risk and should upgrade those components promptly.
Detection and Mitigation
Administrators can detect potential exposure by inspecting their NetScaler configurations for authentication virtual servers (e.g., add authentication vserver .) or Gateway setups (e.g., VPN-related commands). While there have been no reports of active exploitation to date, the simplicity of the flaw could attract opportunistic attackers, especially in environments with unpatched legacy systems.
To mitigate the risk, Cloud Software Group strongly recommends upgrading to the following patched releases:
– NetScaler ADC and Gateway 14.1-56.73 or later
– NetScaler ADC and Gateway 13.1-60.32 or later
– NetScaler ADC and Gateway 13.1-37.250 or later for FIPS/NDcPP variants
– NetScaler ADC and Gateway 12.1-55.333 or later where applicable
For systems running EOL versions, migrating to supported versions is essential to mitigate risks. Cloud Software Group provides these fixes without charge but emphasizes that the information is offered as is, with no warranties regarding system impact.
Broader Security Context
This disclosure comes at a time of heightened scrutiny of supply chain and remote access vulnerabilities. It serves as a reminder for enterprises to prioritize timely patching and regular configuration audits in their security postures. As threat landscapes continue to evolve, maintaining up-to-date systems and vigilant monitoring are crucial defenses against potential exploits.
