${intro} ${title}
${lead}
Attackers can exploit a cross-site scripting vulnerability in Citrix's Netscaler ADCs and Gateways. Updates close it.
(Image: Dario Lo Presti/Shutterstock.com)
A security vulnerability has been discovered in Citrix's Netscaler ADC and Gateway. Updated software is available that closes the cross-site scripting vulnerability. Admins should install it quickly.
In a Citrix security bulletin informs very little information is provided about the vulnerability. In a table, there are only keyword hints: it is a cross-site scripting vulnerability (XSS) with the Common Weakness Enumeration standard number 79 (CWE-79): "Improper neutralization of input during web page generation." Classically, XSS allows the injection of JavaScript code via links that potential victims must click for the code to be executed. However, this can then enable, for example, the copying of session cookies, which attackers could use to take over access (CVE-2025-12101, CVSS4 5.9, risk "medium").
Since Netscalers must be configured as gateways, VPN virtual servers, ICA proxies, CVPNs, or RDP proxies, or as AAA virtual servers, Citrix assumes that prerequisites must be met for attackers to exploit them. However, this does not consider that this is a rather common configuration for providing apps over the internet. Furthermore, Citrix also considers that user interaction is required, in this case clicking on a link.
CVSS 4.0 recognizes for this the vulnerability vector components "AT:P," spelled out as "Attack Requirements: Present," as well as "UI:A," "User Interaction: Active." These significantly reduce the calculated risk in CVSS 4.0. In this case, however, especially with "AT:P," one can argue whether this is true in practice.
CERT-Bund bases its severity ratings on CVSS 3.1. These vector components do not exist in it. This leads to the BSI department to the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L/E:U/RL:O/RC:X – which results in a CVSS value of 8.8, risk "high," and narrowly misses being classified as a critical security vulnerability. CERT-Bund confirmed this to heise online upon request.
Videos by heise
The practical classification is likely somewhere between the CVSS values, so admins should definitely act promptly and install the updates. Versions Netscaler ADC and Gateway 14.1-56.73, 13.1-60.32, Netscaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.250, and Netscaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.333, as well as newer versions of each, patch the security hole. Netscaler ADC and Gateway 13.0 and 12.1 have reached the end of their lifecycle and no longer receive updates.
At the end of August, numerous Netscaler instances vulnerable to Citrix Bleed 3 named security vulnerability were still present. Globally, 28,000 servers were vulnerable.
(dmk)