Citrix has identified critical vulnerabilities in Citrix Netscaler ADC and NetScaler Gateway Products (CVE-2025-5349 and CVE-2025-5777).
The Australian Signals Directorate’s ACSC recommends organisations update affected products to the latest versions and follow the advice detailed in the Citrix Security Advisory.
You can read the advisory here.
This alert has been written primarily for; but is not limited to, business and government.
Citrix has identified the following vulnerabilities affecting Netscaler ADC and NetScaler Gateway products.
- CVE-2025-5777: Insufficient input validation, leading to memory overread, potentially leading to the exposure of sensitive data. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; and
- CVE-2025-5349: Improper access control on the NetScaler Management Interface.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56;
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32;
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP; and
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS.
Citrix advises that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now end of life and not receiving patches.
Australian organisations should review their networks for use of vulnerable instances of the NetScaler ADC and NetScaler Gateway products and consult Citrix’s customer advisory and the Citrix Security Advisory for mitigation advice.
