Citrix with partly critical security leaks in Netscaler and apps
Citrix warns of partly critical security vulnerabilities in Netscaler ADC and Gateway, Secure Access Client and Workspace App.
(Image: Sashkin/Shutterstock.com)
Citrix is currently warning of security vulnerabilities in several products. There is a critical security gap in Netscaler ADC and Gateway, for example, but Citrix Secure Access Client and Workspace App for Windows also have vulnerabilities. Citrix has provided updated software that closes the gaps.
In Netscaler ADC and Gateway, attackers can read memory areas outside intended limits in an unspecified way, which is due to insufficient validation of transferred data (CVE-2025-5777 / EUVD-2025-18497, CVSS 9.3, risk “critical”). In addition, the Netscaler Management Interface uses inadequate access controls and thus apparently allows unauthorized access (CVE-2025-5349 / EUVD-2025-18494, CVSS 8.7, risk “high”). According to the security announcement, the developers have patched the vulnerabilities in the versions Netscaler ADC and NetScaler Gateway 14.1-43.56 and 13.1-58.32, Netscaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 as well as in Netscaler ADC 12.1-FIPS 12.1-55.328. Secure Private Access on-prem and Secure Private Access Hybrid instances are also vulnerable.
In another security warning, Citrix describes a vulnerability in Netscaler Console and SDX that allows attackers to read arbitrary data (CVE-2025-4365 / EUVD-2025-18493, CVSS 6.9, risk “medium”). Netscaler Console 14.1.47.46 and 13.1.58.32 patch the leak, as well as Netscaler SDX (SVM) 14.1.47.46 and 13.1.58.32.
Citrix Windows apps vulnerable
Citrix also reports a security vulnerability in Secure Access Client for Windows. Due to insufficient rights management, local users can extend their rights to SYSTEM (CVE-2025-0320 / EUVD-2025-18498, CVSS 8.5, risk “high”). As with the other vulnerabilities, the developers do not discuss how this actually occurs and what attacks could look like. However, Citrix Secure Access Client for Windows 25.5.1.15 resolves the problem.
Videos by heise
Finally, there is a security gap in Citrix Workspace app for Windows. Here, too, the developers only generally mention inadequate rights management, which allows users to extend their rights to SYSTEM (CVE-2025-4879 / EUVD-2025-18569, CVSS 7.3, risk “high”). Citrix Workspace app for Windows 2409, 2402 LTSR CU2 Hotfix 1 and 2402 LTSR CU3 Hotfix 1 include bug fixes to patch the vulnerability.
In February, Citrix last reported major security vulnerabilities in Netscaler, for example. There were also vulnerabilities in the Citrix Secure Access Client – but the Mac version was affected and not the Windows version as is the case now.
(dmk)
