Cloud Software Group released builds on November 11, 2025, to address one security vulnerability. NetScaler Gateway & NetScaler is affected by CVE 2025-12101, which has a CVSS score of 5.9.
CVE 2025-12101 is a cross-site scripting vulnerability impacting NetScaler Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server). Insufficient validation controls enable a malicious party to inject CRLF control characters into HTTP responses.
NetScaler recommends its customers to follow secure deployment guidelines and feature documentation for configuring AAA, which advise configuring Auth Vserver only when the AAA feature is enabled. Not configuring AAA feature if an Auth vServer is configured may lead to unintended consequences.
Cloud Software Group thanks Sina Kheirkhah of watchTowr and Dylan Pindur of Assetnote for working with us to protect NetScaler customers.
As of November 11, 2025, Cloud Software Group has no reason to believe that this vulnerability has an unmitigated exploit available in NetScaler deployments.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by CVE 2025-12101:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-56.73
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-60.32
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.250-FIPS and 13.1 NDcPP
- NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.333-FIPS and 13.1 NDcPP
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the following relevant updated versions as soon as possible:
- NetScaler ADC and NetScaler Gateway 14.1-56.73 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-60.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.250 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.333 and later releases of 12.1-FIPS and 12.1-NDcPP
Update installation
Download permanent fixes for NetScaler
NetScaler and Citrix are both part of Cloud Software Group, and share the same ticketing system. If you encounter issues when you are updating your affected builds, please contact Citrix Customer Support, irrespective of whether your product includes NetScaler branding or Citrix branding.
Note: Please note that starting 14.1 51.x, 13.1-60.x, 13.1-37.x (FIPS) for NetScaler ADC builds which includes VPX, MPX and SDX form factors and 14.1 51.x, 13.1-60.x for NetScaler SVM, NetScaler has started to enforce SA (Subscription Advantage) date and BID (Burn-In-Date) which means, if the Burn-In Date of the NetScaler build to which you are trying to upgrade to is later than the SA date in the perpetual license file used on your NetScaler instance, your NetScaler instance will become unlicensed after the upgrade. Please refer to the documentation for more details. Additionally, this change has also been covered in NetScaler release notes for 14.1 and 13.1 under CTXENG-68283.
Learn more and stay up to date
Read the security bulletin for NetScaler and NetScaler Gateway