Cloud Software Group released builds on June 17, 2025, to address three security vulnerabilities. NetScaler Gateway is affected by CVE 2025-5777, which has a CVSS score of 9.3. CVE 2025-5349 impacts all NetScaler form-factors (CVSS 8.7), CVE 2025-4365 impacts on-premises NetScaler Console (CVSS 6.9).
CVE 2025-5777 is a critical severity vulnerability impacting NetScaler Gateway, i.e. if NetScaler has been configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
The vulnerability arises due to insufficient input validation leading to memory overread. Cloud Software Group (CSG) strongly recommends upgrading the impacted NetScalers to the builds containing the fix.
The following builds are impacted:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.234
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP before 12.1-55.327
Cloud Software Group strongly recommends affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.234 and later releases
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.327 and later releases
Additionally, CSG strongly recommends executing the following commands after the builds containing the fix have been deployed across HA pairs and all cluster nodes:
kill icaconnection -all kill pcoipConnection -allExecuting these commands will ensure killing all active ICA and PCoIP sessions. Rebooting appliances instead of firing these commands isn’t recommended. Also, in case of cluster deployments CSG recommends executing the kill sessions commands on each of the nodes. In case of HA, executing the commands on the Primary active node is sufficient.
CVE 2025-5349 is a high severity vulnerability which arises due to improper access control on the NetScaler Management Interface.
This impacts all NetScaler form factors, but to take advantage of this vulnerability access to NetScaler IP (NSIP), Cluster Management IP or Local GSLB site IP is necessary. This also requires the management interface to be enabled on the appliance. Impacted builds and the builds containing the fix are common across both CVE 2025-5349 & CVE 2025-5777.
Note: Please note that NetScaler SPA on-prem instances are also affected by the vulnerabilities, and customers need to upgrade the instances to the recommended NetScaler builds to address the vulnerabilities. The action to upgrade the impacted instances is only applicable for Customer-managed NetScaler, NetScaler Gateway & NetScaler SPA instances. Cloud Software Group takes initiative of updating the Citrix-managed cloud services and Citrix-managed Adaptive Authentication instances with the necessary software updates; cloud customers do not need to take any additional action.
CVE 2025-4365 is a medium severity vulnerability in NetScaler Console that allows attackers to read arbitrary files.
This could result in unauthorized access as sensitive configuration files and private keys become accessible, potentially compromising other systems and accounts. Exploitation of this vulnerability requires authenticated access to NetScaler Console, and in most deployments access to NetScaler console is guarded by means of IDAM solutions. This means the risk of having an unauthorized attacker gaining access is contained. If access to NetScaler console isn’t gated by IDAM solutions or if local authentication is still being used, CSG strongly recommends customers to consider using IDAM solutions and disabling local authentication. Additionally, please refer to the secure deployment and access practices for NetScaler Console.
The following supported versions of NetScaler Console are affected:
- NetScaler Console 14.1 BEFORE 14.1-43.56
- NetScaler Console 13.1 BEFORE 13.1-58.32
Cloud Software Group strongly urges customers of NetScaler Console and NetScaler Agent to install the relevant updated versions as soon as possible:
- NetScaler Console 14.1-43.56. and later releases
- NetScaler Console 13.1-58.32 and later releases of 13.1
Please note that this vulnerability only applies to customer managed NetScaler Console. Customers using NetScaler Console service don’t need to take any action as updates to the service are managed by Cloud Software Group.
Update installation
Download permanent fixes for NetScaler Console
Download permanent fixes for NetScaler
NetScaler and Citrix are both part of Cloud Software Group, and share the same ticketing system. If you encounter issues when you are updating your affected builds, please contact Citrix Customer Support, irrespective of whether your product includes NetScaler branding or Citrix branding.