Citrix NetScaler ADC/Gateway XSS (CVE-2025-12101)
Description
Citrix NetScaler ADC and NetScaler Gateway are vulnerable to reflected cross-site scripting (XSS) when configured as a Gateway or AAA virtual server. The vulnerability stems from insufficient input validation in the SAML authentication flow, specifically in the handling of the RelayState parameter. An attacker can craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser session when the link is accessed.
Remediation
Apply the security updates provided by Citrix immediately. Upgrade to the following patched versions based on your deployment:
• NetScaler ADC and Gateway 14.1: Upgrade to build 14.1-29.72 or later
• NetScaler ADC and Gateway 13.1: Upgrade to build 13.1-55.62 or later
• NetScaler ADC and Gateway 13.0: Upgrade to build 13.0-94.25 or later
• NetScaler ADC 13.1-FIPS: Upgrade to build 13.1-37.204 or later
• NetScaler ADC 12.1-FIPS: Upgrade to build 12.1-55.330 or later
• NetScaler ADC 12.1-NDcPP: Upgrade to build 12.1-55.330 or later
As an interim mitigation, implement Web Application Firewall (WAF) rules to filter suspicious RelayState parameters and monitor authentication logs for anomalous SAML requests. Educate users to verify URL authenticity before clicking links, especially those related to Gateway authentication. Consult Citrix Security Bulletin CTX695486 for complete remediation guidance specific to your environment.