NetScaler Web App Firewall (WAF) protects organizations against actively exploited Apache Tomcat and NGINX Kubernetes ingress vulnerabilities by delivering fast, highly effective signature updates — even in secure or restricted environments. With bad actors constantly developing new threats, staying protected against zero-day threats and critical CVEs like those affecting Apache and NGINX Kubernetes ingress requires more than just waiting on infrastructure patches. This blog post covers what these vulnerabilities are, why they’re dangerous, and how NetScaler WAF signature updates provide timely protection without compromising performance or deployment flexibility.
On March 28, 2025, Cloud Software Group released NetScaler WAF signatures to detect and block exploit attempts targeting CVE-2025-24813 and CVE-2025-1974 — two high-severity vulnerabilities affecting infrastructure widely used by modern applications and platforms:
- CVE-2025-24813 targets Apache Tomcat and can lead to remote code execution (RCE), information disclosure, or malicious file injection.
- CVE-2025-1974 affects Kubernetes ingress-nginx, allowing unauthenticated attackers within the pod network to execute arbitrary code (RCE) and potentially access sensitive cluster-wide secrets.
Both vulnerabilities have been actively exploited, underscoring the urgency for organizations to apply the recommended patches and enhance their security posture. Implementing robust security measures, such as web application firewalls (WAFs) with tailored signatures is crucial in mitigating these threats — a concern highlighted by their inclusion in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog.
Understanding CVE-2025-24813 (Apache Tomcat)
CVE-2025-24813 has a CVSS 3.0 Score of 9.8. CVSS Scores capture the risk of a vulnerability on a scale of 1 to 10 and is recognized by NIST. CVE-2025-24813 targets Apache Tomcat and can lead to remote code execution (RCE), information disclosure, or malicious file injection. It is a path equivalence vulnerability in Apache Tomcat, a widely used open-source web server and servlet container.
This flaw arises from improper handling of file paths containing internal dots (for example: file.name), which, under specific conditions, can lead to unauthorized viewing of sensitive files, injection of malicious content, and remote code execution. The vulnerability affects Apache Tomcat versions from 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2.
Understanding CVE-2025-1974 (NGINX)
CVE-2025-1974 has a CVSS 3.0 Score 9.8. This CVE is found in the ingress-nginx controller of a Kubernetes deployment and allows unauthenticated attackers within the pod network to execute arbitrary code (remote code execution). This can result in unauthorized disclosure of sensitive information, including secrets accessible to the controller.
Successful exploitation of CVE-2025-1974 can lead to control over the ingress-nginx controller pod. Due to the pod’s often elevated privileges and access to cluster-wide secrets, an attacker could compromise the entire cluster, gain unauthorized data access, and move laterally within the environment, exposing an organization to even further risk.
Why update NetScaler WAF signatures
While software vendors release patches for these vulnerabilities, WAFs like NetScaler’s offer immediate protection at the application layer — often before patches can be rolled out across an entire environment. Here’s how NetScaler WAF helps security teams stay ahead:
Signature-based + behavior-based detection
NetScaler WAF offers robust protection against a wide array of web-based threats, including zero-day exploits, bot attacks, and the OWASP Top 10 attacks, ensuring your applications remain secure and compliant. The hybrid security model of NetScaler WAF leverages both signature-based and behavior-based threat detection to block unwanted traffic, while using positive security checks to enforce what is allowed.
One-pass architecture = 89% lower latency
Unlike many traditional WAF solutions, NetScaler’s one-pass architecture processes traffic efficiently, resulting in significantly lower latency. According to a Tolly Group report, NetScaler achieved up to 89 percent lower latency per request compared to F5’s BIG-IP Virtual Edition, ensuring strong security without compromising on performance when security functions are enabled.
Fast updates, even without firmware changes
To maintain the highest level of performance and security, it is important that you keep your WAF signatures regularly updated. The latest WAF signature updates version 149 and 150 are applicable to the older supported versions of NetScaler (Citrix ADC 12.1 and Citrix ADC 13.0) and the current NetScaler 13.1 and NetScaler 14.1 releases. Given the increasing severity and frequency of security vulnerabilities worldwide, staying current with signature updates is essential to safeguard your environment against evolving threats and ensures protection against both known and emerging threats.
Offline update support
Even in air-gapped or restricted environments, NetScaler makes it easy to manually download and apply WAF signature updates. This flexibility ensures strong protection in high-security or regulated deployments — without compromising ease of use.
Included with Citrix Universal Hybrid Multi-Cloud and Citrix Platform Licenses
WAF signatures are a key component of NetScaler’s hybrid security model and they can be updated independently of firmware upgrades, enabling faster response times to emerging threats. Additionally, if you have either the Universal Hybrid Multi-Cloud (UHMC) or Citrix Platform License (CPL), you already own entitlements to this capability across all your NetScaler instances.
How to update NetScaler WAF signatures
As threat actors increasingly target widely used platforms like Apache Tomcat and NGINX, you need to be proactive, not reactive. NetScaler WAF makes that possible with fast, flexible, and high-performance protection that responds quickly to critical CVEs. By keeping your WAF signatures up to date, you can defend against today’s threats — and be ready for whatever comes next.
If you are already using NetScaler WAF, update the latest NetScaler Web App Firewall (WAF) Signature.
For instructions on how to turn on NetScaler WAF, see the NetScaler WAF deployment guide.