Cross-Site Scripting Vulnerability in Citrix NetScaler ADC and Gateway
CVE-2025-12101

5.9MEDIUM

Key Information:

Vendor

Netscaler
Status
Adc
Gateway
Vendor
CVE Published:
11 November 2025

What is CVE-2025-12101?

A Cross-Site Scripting (XSS) vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway. This issue can occur when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Attackers can exploit this vulnerability to inject malicious scripts into web pages viewed by users, potentially compromising user sessions or redirecting users to malicious sites. It’s crucial for organizations to implement security best practices and updates to mitigate risks related to this vulnerability.

Affected Version(s)

ADC 14.1 < 56.73

ADC 13.1 < 60.32

ADC 13.1-FIPS and NDcPP < 37.250

References

https://support.citrix.com/support-home/kbsearch/article?...

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-12101 : Cross-Site Scripting Vulnerability in Citrix NetScaler ADC and Gateway