Kunden, die auf ihrem NetScaler Kerberos für SSO PreAuthentication verwenden, bekommen nach dem Microsoft April Update ein Problem. Kerberos Negogiate (SSO) funktioniert danach nicht mehr mit dem NetScaler und auch weitere Umsysteme können davon betroffen sein. Sie erhalten bei einem Login Versuch via NetScaler folgenden Eintrag im ns.log:
default AAATM Message 97485 0 : "NS kerberos: Failed to verifiy negotiate data with errcode 983044"
Umgemünzt auf den NetScaler bedeutet dies dass der Wert 1, temporär wieder RC4 Kerberos Ticket für Netscaler SPNs erlaubt. Nach dem RegKey verändern ist ein gestaffelter DC reboot erforderlich!
ACHTUNG: Diese Anpassungen sind nur als Workaround zu verstehen und sollten wieder rückgängig gemacht werden, sobald Citrix einen Fix für den Fehler bereitstellt!
Update 08.05.2026 – Problemlösung
Allgemeine Voraussetzung
Der zugehörige AD Service Account muss AES 125 bit und oder AES 256 bit erlauben
Danach das KeyTab File neu erzeugen und KeyTab File am Netscaler ersetzen. Ganz wichtig dabei ist die Grossschreibung!
ICA Session launches may fail with reason «Licensing» in Citrix Director after the controller has entered an emergency license caching mode but is still within grace period.
Event ID 1163 from Citrix Broker Service reporting «No connection license available» , indicating launch failures is reported in the DDC application event logs.
Follow the below steps to identify if you are hitting this known issue.
1. Log into Citrix Director and view trends for connection failures. If you see the Failure Type as «No License Available» and Failure reason «Licensing»
Associated User
Failure Type
Failure Reason
Failure Time
Launch Time
Endpoint IP
Receiver Version
Machine Name
VDA Version
Delivery Group
xxx
No License Available
Licensing
4/2/2026 6:42
4/2/2026 6:41
10.6.1.176
n/a
yyy
xxxx
zzz
2. Check the Application event logs on the Delivery controller and filter the event ID’s 1154,503,504,1163,1156 with Event Sources Citrix Broker Service, Citrix High Availability Service, Citrix ConfigSync Service as shown below. If a Citrix Site has multiple DD’s then the event sequence may be seen on one or more DDC’s that exposed this behaviour with its interaction with its Citrix High Availability Service.
3. Check if the events are logged in below sequence.
Note:
During this process, Event IDs 503 and 504 from the Config Sync Service may or may not be observed.
The Config Sync Service can increase the likelihood of the issue occurring; however, the Citrix High Availability Service may independently detect the end of the grace period before the Citrix Broker Service. This timing difference can result in a race condition.
The key here is that Citrix High Availability Service reports that the controller is no longer in an emergency license caching mode with event ID 1156 before Citrix broker service reports the same with event ID 1156.
1. Event ID 1154 from Citrix Broker Service indicating the controller has entered an emergency license caching mode
2. Event ID 1154 from Citrix High Availability Service indicating the controller has entered an emergency license caching mode
3. Event ID 503,504 from Citrix ConfigSync Service for receiving and importing the updated configuration
4. Event ID 1156from Citrix High Availability Service reporting «The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.»
5. Event ID 1163 from Citrix Broker Service reporting «No connection license available» , indicating launch failures.
6. Event ID 1156 from Citrix Broker Service reporting «The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.»
Here is the detailed event Log output for each of the event ID’s listed above:
Log Name: Application Source: Citrix Broker Service Date: 02-04-2026 06:43:44 Event ID: 1154 Task Category: None Level: Warning Keywords: User: NETWORK SERVICE Computer: yyy Description: This controller has entered an emergency license caching mode because it could not contact the license server ‚xxx‘.
You have 716 hour(s) remaining before this controller stops providing desktop and application sessions.
Log Name: Application Source: Citrix High Availability Service Date: 02-04-2026 06:43:49 Event ID: 1154 Task Category: None Level: Warning Keywords: User: NETWORK SERVICE Computer: yyy Description: This controller has entered an emergency license caching mode because it could not contact the license server ‚xxx‘.
You have 720 hour(s) remaining before this controller stops providing desktop and application sessions.
Log Name: Application Source: Citrix ConfigSync Service Date: 02-04-2026 06:49:08 Event ID: 503 Task Category: None Level: Information Keywords: Classic User: N/A Computer: yyy Description: The Citrix Config Sync Service received an updated configuration.
Log Name: Application Source: Citrix ConfigSync Service Date: 02-04-2026 06:50:44 Event ID: 504 Task Category: None Level: Information Keywords: Classic User: N/A Computer: yyy Description: The Citrix Config Sync Service imported an updated configuration.
Log Name: Application Source: Citrix High Availability Service Date: 02-04-2026 06:50:51 Event ID: 1156 Task Category: None Level: Information Keywords: User: NETWORK SERVICE Computer: yyy Description: The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.
Log Name: Application Source: Citrix Broker Service Date: 02-04-2026 06:51:16 Event ID: 1163 Task Category: None Level: Warning Keywords: User: NETWORK SERVICE Computer: yyy Description: No connection license available. To resolve, free licenses by closing sessions that are not needed, or add more licenses.
Details: License Server Address: ‚xxx‘ License Server Port: ‚27000‘ Site License Model: ‚Concurrent‘ Site Edition: ‚PLT‘ ProductID: ‚XDT‘ User:zzz Client ID: ‚FF01753A‘ Session Support: ‚MultiSession‘
Log Name: Application Source: Citrix Broker Service Date: 02-04-2026 06:58:34 Event ID: 1156 Task Category: None Level: Information Keywords: User: NETWORK SERVICE Computer: yyy Description: The Citrix Broker Service is successfully communicating with the license server ‚xxx‘. This controller is no longer in an emergency license caching mode.
Problem Cause
Issue identified in the product.
Resolution
Refer to the below links to access the Hotfixes for different LAS compatible Delivery Controller versions:
The below workaround can be followed if you are unable to implement the Hotfixfix for any reason on the delivery controllers.
Note:
This workaround should be applied only after the issue occurs. It ensures that sessions launch successfully when the controller enters emergency license caching mode; however, a side effect is that Local Host Cache (LHC) will be disabled.
Once connectivity is restored and the primary Broker is confirmed to be out of the grace period (for example, by verifying Event ID 1156 in the Citrix Broker Service logs), you can restart the Citrix Config Sync Service and the Citrix High Availability Service to restore LHC functionality. However, If the controller enters emergency license caching mode again, these steps will need to be repeated.
Follow the below steps on one of the Delivery Controller:
Step 1: Stop these services:
Citrix ConfigSync Service
Citrix High Availability Service
Citrix Broker Service
In powershell, run:
Stop-Service CitrixConfigSyncService
Stop-Service CitrixHighAvailabilityService
Stop-Service CitrixBrokerService
Step 2: Start Citrix Broker Service In powershell, run: Start-Service CitrixBrokerService
Step 3: Wait 5-10min. Run powershell to check connection: Test-BrokerLicenseServer -ComputerName <license server address> -Port 8083 –CheckLasPE $true
If the result is Compatible, it means the connection to LAS is ok. If the result is NotCompatible/Inaccessible/InternalError, it means the connection to LAS is down.
Step 4: In event log, confirm Citrix Broker Service reports 1154 event again:
Summary
ICA Session launches may fail with reason «Licensing» in Citrix Director after the controller has entered an emergency license caching mode but is still within grace period.
Event ID 1163 from Citrix Broker Service reporting «No connection license available» , indicating launch failures is reported in the DDC application event logs.
Caution! This release may require you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
This Update is for Version 2511 of the Citrix Virtual Apps and Desktops. Any known issues in Version 2511, except for the specific issues resolved in this release, still apply.
Where to Find Documentation
This document describes the issue(s) resolved by this Update and includes installation instructions. For additional product information, including supported operating systems and system requirements, see Citrix Virtual Apps and Desktops 2511 on the Citrix Product Documentation site.
Symptoms
ICA Session launches may fail with reason «Licensing» in Citrix Director after the controller has entered an emergency license caching mode but is still within grace period.
or
When LAS connection is lost, end users fail to launch desktop or application sessions with error in event log with event id 1163
New Fixes in This Release
This release includes bug fixes for the License Activation Service (LAS) to improve high-availability (HA) performance and ensure accurate licensing status reporting, and to address the symptoms mentioned above.
Key Improvements
Race condition during licensing state transitions could lead to incorrect license caching mode period calculations. This prevents session launches (CVADHELP-31920).
Fixes from Replaced Updates
No Updates were replaced by this release.
Installing and Uninstalling this Release
Notes:
Maintenance Window Recommendation: Citrix recommends scheduling a maintenance window to minimize user impact during the update process.
Caution: Citrix recommends that you back up your database before installing this hotfix. Doing so allows you to manually restore your database to the backed-up version. Any changes made between backup and restore will be lost. For information about backing up and restoring your database, see: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/upgrade-migrate
To Install This Update:
Use the following steps to apply this update:
Stop the Citrix Broker Service and Citrix High Availability Service.
Rename the files NetLicwrapper.dll, Citrix.Licensing.LasPolEng.dll under C:\Program Files\Citrix\Broker\Service to NetLicwrapper_Backup.dll, Citrix.Licensing.LasPolEng_Backup.dll.
Extract the downloaded ZIP file and copy the extracted files to C:\Program Files\Citrix\Broker\Service.
Restart the Citrix Broker Service and Citrix High Availability Service.
To Uninstall This Update
Use the following steps to remove this update:
Stop the Citrix Broker Service and Citrix High Availability Service.
Rename the files NetLicwrapper.dll, Citrix.Licensing.LasPolEng.dll under C:\Program Files\Citrix\Broker\Service to NetLicwrapper_Update1.dll, Citrix.Licensing.LasPolEng_Update1.dll.
Rename the files NetLicwrapper_Backup.dll, Citrix.Licensing.LasPolEng_Backup.dll under C:\Program Files\Citrix\Broker\Service to NetLicwrapper.dll, Citrix.Licensing.LasPolEng.dll.
Restart the Citrix Broker Service and Citrix High Availability Service.
Attention! Please note the following regarding to this update:
Customers who already have transitioned to Netscaler LAS can upgrade without any special remarks. If you have not yet changed the Licensing mode, please check the requirements for LAS prior to the update!
Upgrading without proper LAS activation can lead to licensing issues. While these can be resolved by downloading a new file-based license, this workaround is only available until April 15, 2026.
Severity – Critical
Description of Problem
Vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
CVE-2026-3055:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
CVE-2026-4368:
NetScaler ADC and NetScaler Gateway 14.1-66.54
Note: This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Details
NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities mentioned below:
CVE-ID
Description
Pre-conditions
CWE
CVSS v4.0
CVE-2026-3055
Insufficient input validation leading to memory overread
Citrix ADC or Citrix Gateway must be configured as a SAML IDP
CWE-125: Out-of-bounds Read
CVSS v4.0 Base Score: 9.3(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
CVE-2026-4368
Race Condition leading to User Session Mixup
Appliance must be configured as:Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
CWE-362: Race Condition
CVSS v4.0 Base Score: 7.7(CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
What Customers Should Do
CVE 2026-3055 was identified internally through our ongoing security reviews and broader efforts to strengthen the security of the product.
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
Note: Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
CVE-2026-3055 :
Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string:
add authentication samlIdPProfile .*
CVE-2026-4368
Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings
An Auth Server (AAA Vserver):
add authentication vserver .*
A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy) :
Attention! Please note the following regarding to this update:
Netscaler customers who are not yet using Flex licensing (CITRIX HMC) or Fixed Term licenses must download the installed license file again from the www.citrix.com portal (License) with the correct MAC address and replace it on the Netscaler. These newly created license files will then only be valid until April 2026. If the file is not replaced, the Netscaler will start up with a freemium license after a reboot! AXACOM AG recommends installing this patch (medium with a score of 5.9) only when the Netscaler can be converted to the new LAS licensing.
License Activation Service
Important:
File-based licensing system (also referred to as manually managed entitlements), traditionally used for activating various on-premises components, will be End of Life (EOL) on April 15, 2026. License Activation Service (LAS) is the next generation technology for product activations across the suite of Citrix products. LAS will be the only way to activate and license NetScaler instances after April 15, 2026, supporting NetScaler Flexed licenses (CPL/UHMC), legacy NetScaler Pooled licenses, and NetScaler Fixed term Bandwidth licenses. To remain supported, your NetScaler and NetScaler Console deployments must be on a LAS compatible version.
The minimum required NetScaler® versions that are LAS compatible are:
NetScaler Console Service: Supported from early September 2025
NetScaler Console on-prem: 14.1-51.83Note: LAS support for Console on-prem is from release 14.1-51.83 onwards. However, file-based licensing is deprecated from Console on-prem releases 14.1-51.83 onwards and 13.1-60.26 onwards, and goes EOL on April 15th, 2026. That is, even if you upgrade to Console on-prem release 14.1-51.83 or release 13.1-60.26 or later, you can continue using file-based licensing. However you must upgrade to Console on-prem release 14.1-51.83 or later, and switch to LAS before 15th April 2026 because file-based licensing reaches EOL.
All the other forms of legacy NetScaler licenses such as Pooled vCPU, CICO, perpetual will not be supported with LAS. NetScaler instances leveraging perpetual licenses without an active maintenance will become unlicensed upon upgrade to the above mentioned software versions.
LAS based licenses may not be available to customers where prohibited by law or regulations.
If you have questions or concerns, contact Customer Care. Citrix® may limit or suspend your Citrix Maintenance for non-compliance with these requirements without liability in addition to any other remedies Citrix may have at law or equity. These requirements don’t apply where prohibited by law or regulation.
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-56.73
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-60.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.250-FIPS and NDcPP
NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.333-FIPS and NDcPP
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and are vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Disclaimer
The information on this page is being provided to you on an «AS IS» and «AS-AVAILABLE» basis. The issues described on this page may or may not impact your system(s). Cloud Software Group, Inc. and its subsidiaries (collectively, «Cloud SG») make no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY DISCLAIMED. BY ACCESSING THIS PAGE, YOU ACKNOWLEDGE THAT CLOUD SG SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. Cloud SG reserves the right to change or update the information on this page at any time. We accordingly recommend that you always view the latest version of this page. The information contained herein is being provided to you under the terms of your applicable customer agreement with Cloud SG, and may be used only for the purposes contemplated by such agreement. If you do not have such an agreement with Cloud SG, this information is provided under the cloud.com Terms of Use, and may be used only for the purposes contemplated by such Terms of Use.
Details
NetScaler ADC and NetScaler Gateway are affected by the vulnerability mentioned below:
CVE-ID
Description
Pre-conditions
CWE
CVSSv4
CVE-2025-12101
Cross-Site Scripting (XSS)
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)ORAAA virtual server
CWE-79: Improper Neutralization of Input During Web Page Generation (‚Cross-site Scripting‘)
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
NetScaler ADC and NetScaler Gateway 14.1-56.73 and later releases
NetScaler ADC and NetScaler Gateway 13.1-60.32 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.250 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.333 and later releases of 12.1-FIPS and 12.1-NDcPP
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
CVE-2025-12101 :
Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings
An Auth Server (AAA Vserver): add authentication vserver .*
Vor eingen Tagen hat Citrix eine MaIl an alle Kunden verschickt, mit der Information, dass ab dem 15. April 2026 das alte Lizenzmodell mit lokalen Lizenzfiles nicht mehr unterstützt wird. Statt dessen soll ab dann zwingend der neue License Activation Service (LAS) genutzt werden.
Kunden werden aufgefordert, baldmöglichst auf das neue LAS Lizenzverfahren umzustellen. Diese Umstellung erfordert ein Update aller Citrix Komponenten auf mindestens CR 2411, oder neuer.
Unglücklicherweise treten bei diversen Produkten nach der Installation Lizenzierungsprobleme auf. Welche Probleme auftreten, hängt von diversen Parametern ab. So spielt das Alter der lokalen Lizenzfiles, aber auch das Lizenzmodell (Universal, HMC, Citrix for Private Cloud, etc.) eine Rolle. Zusammen mit den unterschiedliche Citrix Produkten (CVAD, PVS, Lizenz Server, XenServer, etc.) ergibt sich eine recht grosse Matrix mit unterschiedlichsten Problemen.
Bei diversen Kunden wurden teils gravierende Probleme entdeckt. So funktioniert nach dem Update auf 2507 LTSR, abhängig vom Lizenzmodell, entweder PVS nicht mehr, siehe https://support.citrix.com/external/article/695191/citrix-provisioning-services-reports-the.html, oder alle Mitarbeiter erhalten in ihrer Citrix Session ein Pop-Up mit der Info, dass die Umgebung ungenügend lizenziert ist und in 30 Tagen aufhört zu funktionieren.
AXACOM empfiehlt daher allen Kunden, momentan keine Updates ihrer CVAD-, Lizenz- und PVS-Server durchzuführen und zu warten, bis die Probleme behoben sind.
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Details
NetScaler ADC and NetScaler Gateway contain the vulnerability mentioned below:
CVE-ID
Description
Pre-conditions
CWE
CVSSv4
CVE-2025-7775
Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server(OR)NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR)NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers(OR)CR virtual server with type HDX
CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS v4.0 Base Score: 9.2(CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
CVE-2025-7776
Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it
CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS v4.0 Base Score: 8.8(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:L)
CVE-2025-8424
Improper access control on the NetScaler Management Interface
Access to NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access
CWE-284: Improper Access Control
CVSS v4.0 Base Score: 8.7(CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
What Customers Should Do
Exploits of CVE-2025-7775 on unmitigated appliances have been observed.
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
CVE-2025-7775:
Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings
An Auth Server (AAA Vserver) add authentication vserver .*
