Critical Vulnerability Reported in Citrix NetScaler ADC and Gateway (CVE-2025-12101)

Executive Summary

On November 11th, Citrix published an advisory detailing a critical vulnerability in their NetScaler ADC and NetScaler Gateway lines of products. This bug (tracking as CVE-2025-12101) is a cross-site scripting (XSS) vulnerability on NetScaler ADC or NetScaler Gateway devices when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. These devices are typically deployed as internet facing by design, so this vulnerability can be used by threat actors to gain initial access to an organization’s internal network.

There are no public technical details of the vulnerability or public proof-of-concept (PoC) exploits available at time of writing. Beazley Security recommends affected organizations should upgrade impacted devices as soon as possible.

Affected Systems and Products

Software	Affected Versions
NetScaler ADC and NetScaler Gateway 14.1	Before 14.1-56.73
NetScaler ADC and NetScaler Gateway 13.1	Before 13.1-60.32
NetScaler ADC 13.1-FIPS and NDcPP	Before 13.1-37.250-FIPS and NDcPP
NetScaler ADC 12.1-FIPS and NDcPP	Before 12.1-55.333-FIPS and NDcPP

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now end of life and no longer supported. Customers that are on those versions are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Mitigations and Workarounds

Citrix has indicated there are no effective mitigations or workarounds for this vulnerability. Organizations should update impacted NetScaler ADC and NetScaler Gateways to the latest patched versions.

If patches cannot be immediately applied, network access to the appliances should be restricted to trusted networks only.

Patches

Citrix has released advisory CTX695486 to track versioning and patching information for this issue. Citrix NetScaler released patches to mitigate this issue and other technical support can be found by logging into the Citrix Support Center.

Technical Details

Details on the vulnerability have not been provided, but Citrix has provided guidance on how to determine if an organization has a vulnerable configuration on their device:

An Auth Server (AAA Vserver):
- add authentication vserver .*
A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy):
- add vpn vserver .*

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team