Two New Citrix Vulnerabilities Demand Urgent Review and Response
Citrix has disclosed two critical vulnerabilities impacting NetScaler Application Delivery Controller (ADC) and Gateway appliances. These issues, published under Citrix article CTX693420, introduce real risk to environments that haven’t been patched or properly segmented. The vulnerabilities, CVE-2025-5349 and CVE-2025-5777, can potentially allow unauthorized access to the management interface and expose sensitive information from memory.
As part of our ongoing Citrix expertise and customer support, the Alchemy team reviewed the vulnerabilities and what they mean in practice.
The Vulnerabilities
CVE 2025 5349
Unauthenticated users can access the NetScaler management interface through NSIP, cluster IP, or GSLB site IP. If exposed, this opens a direct path into the control plane.
CVE 2025 5777
When the appliance is configured as a Gateway or AAA virtual server, attackers can exploit an input validation flaw that may allow memory to be overwritten. This can expose sensitive information from memory.
Both CVEs have high to critical CVSS scores. They require fast attention, even if no confirmed active exploitation has yet occurred.
What Alchemy Recommends
1. Confirm your current NetScaler version
If you’re running builds before the following, your systems are at risk:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End-of-Life (EOL) and vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Additional Note: The vulnerabilities also affect Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances. To address the vulnerabilities, customers must upgrade these NetScaler instances to the recommended NetScaler builds.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Adaptive Authentication with the necessary software updates.
2. Upgrade to a secure build immediately
Post-upgrade, Citrix recommends terminating all active ICA and PCoIP sessions using [bash]:
- kill icaconnection -all
- kill pcoipConnection -all
3. Lock down access to the management interfaces
No management IP (NSIP, cluster IP, GSLB site IP) should be exposed to untrusted networks. Use network segmentation and ACLs to limit access.
4. Don’t delay migration planning
If you’re still running EOL builds, delaying migration planning is not an option. Now is the time to start a supported upgrade path. These older appliances and configurations are not protected. The longer you wait, the more vulnerable your systems become.
What We’re Seeing
At Alchemy, we’ve helped several enterprise clients assess exposure and execute upgrade plans. Legacy builds were often still in production, especially in environments with older Gateway or VPN configurations.
Our Citrix engineers are available to:
- Review your current build and architecture
- Guide patching and rollback planning
- Help you migrate off unsupported platforms
- Implement additional security controls to reduce exposure
Need help assessing your risk or scheduling an upgrade?
If you’re unsure whether your NetScaler configuration is secure or compliant with current best practices, now is the time to find out. Alchemy’s NetScaler Health Check goes beyond patching—we assess system hardening, configuration drift, and gateway exposure to give you precise, prioritized action steps. Whether you need fast remediation or a complete upgrade plan, our team is ready to help.
Author
Jason Willis