Citrix announced security updates on Tuesday to address four vulnerabilities affecting three of its products, including a critical issue in NetScaler ADC and NetScaler Gateway.
The most severe flaw, identified as CVE-2025-5777 with a CVSS score of 9.3, stems from an out-of-bounds memory read caused by inadequate input validation. According to Citrix, only NetScaler setups configured as Gateway (including VPN virtual server, ICA Proxy, CVPN, and RDP Proxy) or as an Authentication, Authorization, and Accounting (AAA) virtual server are vulnerable.
The vulnerability has been fixed in NetScaler ADC versions 14.1-43.56, 13.1-58.32, 13.1-FIPS, 13.1-NDcPP 13.1-37.235, and 12.1-FIPS 12.1-55.328. Updates have also been released for NetScaler Gateway versions 14.1-43.56 and 13.1-58.32.
Citrix also addressed CVE-2025-5349, a high-severity improper access control vulnerability in the NetScaler Management Interface.
The company noted that older versions of NetScaler ADC and Gateway, specifically versions 12.1 and 13.0, are also affected by these issues. These versions are no longer supported, and customers are strongly encouraged to upgrade to a supported version immediately.
Additionally, Citrix fixed a high-severity improper privilege management flaw in the Secure Access Client for Windows. This vulnerability, tracked as CVE-2025-0320, could allow attackers to gain System-level privileges. The issue was resolved in Secure Access Client for Windows version 25.5.1.15.
Another privilege management vulnerability, CVE-2025-4879, was patched in Citrix Workspace app for Windows version 2409. The fix is also included in Workspace app for Windows 2402 LTSR CU2 Hotfix 1 and 2402 LTSR CU3 Hotfix 1.
Citrix has not reported any active exploitation of these vulnerabilities, but users are urged to apply the updates as soon as possible. Further details are available on the company’s security bulletins page.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
