CVE-2025-12101

Name of the Vulnerable Software and Affected Versions NetScaler ADC and NetScaler Gateway versions 12.1-FIPS and NDcPP prior to 12.1-55.333-FIPS and NDcPP NetScaler ADC and NetScaler Gateway versions 13.1 prior to 13.1-60.32 NetScaler ADC and NetScaler Gateway versions 13.1-FIPS and NDcPP prior to 13.1-37.250-FIPS and NDcPP NetScaler ADC and NetScaler Gateway versions 14.1 prior to 14.1-56.73

Description A Cross-Site Scripting (XSS) issue exists in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The issue arises from improper neutralization of input during web page generation. Exploitation allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking or data theft. The vulnerability is related to a memory leak and reflected XSS. A misconfiguration involving the AAA component can lead to the exposure of uninitialized memory content.

Recommendations NetScaler ADC and NetScaler Gateway versions prior to 12.1-55.333-FIPS and NDcPP: Upgrade to version 12.1-55.333-FIPS or NDcPP or later. NetScaler ADC and NetScaler Gateway versions prior to 13.1-60.32: Upgrade to version 13.1-60.32 or later. NetScaler ADC and NetScaler Gateway versions prior to 13.1-37.250-FIPS and NDcPP: Upgrade to version 13.1-37.250-FIPS or NDcPP or later. NetScaler ADC and NetScaler Gateway versions prior to 14.1-56.73: Upgrade to version 14.1-56.73 or later.