Citrix warns that patching just lately disclosed vulnerabilities that may be exploited to bypass authentication and launch denial-of-service assaults can also break login pages on NetScaler ADC and Gateway home equipment.
This occurs as a result of beginning with NetScaler 14.1.47.46 and 13.1.59.19, the Content material Safety Coverage (CSP) header, which mitigates dangers related to cross-site scripting (XSS), code injection, and different client-side assaults, is enabled by default.
Nonetheless, whereas it’s designed to dam unauthorized scripts and exterior content material from executing within the browser, the coverage additionally inadvertently restricts legit scripts or sources loaded by DUO configuration primarily based on Radius authentication, integrations, customized SAML setups, or different IDP configurations not compliant with the strict CSP guidelines.
“There’s a difficulty associated to authentication that you could be observe after upgrading NetScaler to construct 14.1 47.46 or 13.1 59.19,” the corporate explains in an advisory that is additionally warning admins to instantly patch their home equipment towards two safety crucial vulnerabilities.
“This may manifest as a ‘damaged’ login web page, particularly when utilizing authentication strategies like DUO configurations primarily based on Radius authentication, SAML, or any Identification Supplier (IDP) that depends on customized scripts. This conduct will be attributed to the Content material Safety Coverage (CSP) header being enabled by default on this NetScaler construct, particularly when CSP was not enabled previous to the improve.”
The primary of the 2 safety flaws (tracked as CVE-2025-5777 and dubbed Citrix Bleed 2) allows menace actors to bypass authentication by hijacking consumer periods, whereas the second (CVE-2025-6543) is now actively exploited in denial-of-service assaults.
To quickly handle this recognized concern, Citrix recommends that directors disable the default CSP header on affected NetScaler home equipment (by way of the consumer interface or command line) and clear the cache to make sure that the adjustments take impact instantly.
After disabling the CSP header, admins are additionally suggested to entry the NetScaler Gateway authentication portal to examine if the difficulty is resolved.
“If the difficulty persists after following these steps, please attain out to Citrix Help for additional help. Present them with particulars of your configuration and the steps you have got already taken,” the corporate provides in a separate advisory issued on Monday.
“Please attain out to the assist crew in order that we will determine the difficulty with CSP and repair it in your configuration.”
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
