CVE-2025-5349: 
Citrix ADC VPX vulnerability analysis and mitigation

Improper access control vulnerability (CVE-2025-5349) was discovered in the NetScaler Management Interface affecting NetScaler ADC and NetScaler Gateway products. The vulnerability was disclosed on June 17, 2025, and requires access to NSIP, Cluster Management IP, or local GSLB Site IP to be exploited (Citrix Advisory).

The vulnerability has been assigned a CVSS v4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L. It is categorized under CWE-284 (Improper Access Control) and affects multiple versions of NetScaler ADC and NetScaler Gateway products (NVD, Citrix Advisory).

The vulnerability presents high severity risks across multiple security aspects, including confidentiality, integrity, and availability, as indicated by the CVSS scoring. The affected systems include NetScaler ADC and NetScaler Gateway versions 14.1, 13.1, and various FIPS-compliant versions (Citrix Advisory).

Citrix has released patches for affected versions and strongly urges customers to upgrade to NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases, 13.1-58.32 and later releases, NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.235 and later releases, or NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases. Note that versions 12.1 and 13.0 are End of Life and no longer supported (Citrix Advisory).