Citrix warns that patching just lately disclosed vulnerabilities that may be exploited to bypass authentication and launch denial-of-service assaults might also break login pages on NetScaler ADC and Gateway home equipment.
This occurs as a result of beginning with NetScaler 14.1.47.46 and 13.1.59.19, the Content material Safety Coverage (CSP) header, which mitigates dangers related to cross-site scripting (XSS), code injection, and different client-side assaults, is enabled by default.
Nonetheless, whereas it’s designed to dam unauthorized scripts and exterior content material from executing within the browser, the coverage additionally inadvertently restricts official scripts or assets loaded by DUO configuration based mostly on Radius authentication, integrations, customized SAML setups, or different IDP configurations not compliant with the strict CSP guidelines.
“There’s a problem associated to authentication that you could be observe after upgrading NetScaler to construct 14.1 47.46 or 13.1 59.19,” the corporate explains in an advisory that is additionally warning admins to right away patch their home equipment towards two safety crucial vulnerabilities.
“This may manifest as a ‘damaged’ login web page, particularly when utilizing authentication strategies like DUO configurations based mostly on Radius authentication, SAML, or any Identification Supplier (IDP) that depends on customized scripts. This habits might be attributed to the Content material Safety Coverage (CSP) header being enabled by default on this NetScaler construct, particularly when CSP was not enabled previous to the improve.”
The primary of the 2 safety flaws (tracked as CVE-2025-5777 and dubbed Citrix Bleed 2) allows menace actors to bypass authentication by hijacking consumer periods, whereas the second (CVE-2025-6543) is now actively exploited in denial-of-service assaults.
To briefly handle this identified difficulty, Citrix recommends that directors disable the default CSP header on affected NetScaler home equipment (through the consumer interface or command line) and clear the cache to make sure that the adjustments take impact instantly.
After disabling the CSP header, admins are additionally suggested to entry the NetScaler Gateway authentication portal to test if the problem is resolved.
“If the problem persists after following these steps, please attain out to Citrix Assist for additional help. Present them with particulars of your configuration and the steps you could have already taken,” the corporate provides in a separate advisory issued on Monday.
“Please attain out to the help crew in order that we will determine the problem with CSP and repair it in your configuration.”
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
