Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent management-interface access (AV:A), no auth or interaction (PR:N/UI:N), low complexity; arbitrary file read yields C:H with no integrity or availability impact (I:N/A:N).
Primary rating from Vendor (50a63c94-1ea7-4568-8c11-eb79e7c5a2b5).
CVSS VectorVendor: 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to NSIP, Cluster Management IP or SNIP with management access is enabled
AnalysisAI
Arbitrary file read in Citrix NetScaler ADC and NetScaler Gateway lets unauthenticated attackers on an adjacent network retrieve sensitive files from the appliance when the NSIP, Cluster Management IP, or a SNIP has management access enabled. The flaw (CWE-73, external control of file name or path) carries a CVSS 4.0 base score of 7.1 with high confidentiality impact, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that management access be enabled and reachable on the NSIP, Cluster Management IP, or a SNIP, and that the attacker have adjacent-network access to that management interface (CVSS AV:A, not full Internet-wide network reach). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) describes an adjacent-network, low-complexity, unauthenticated attack with high confidentiality impact and no special attack requirements, scoring 7.1 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned on the same network segment as an exposed NetScaler management interface (NSIP, Cluster Management IP, or a management-enabled SNIP) sends a crafted request that manipulates a file path parameter to read sensitive files - such as configuration data or credentials - from the appliance without authenticating. Because the attack is low-complexity and requires no user interaction, a single adjacent host (e.g., a compromised device on a poorly segmented management LAN) is sufficient; no public exploit code has been identified at time of analysis. |
| Remediation | Apply the fixed builds published by Citrix in advisory CTX696604 (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604); exact patched version numbers were not present in the supplied data, so confirm them directly from that advisory before scheduling the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit network connectivity to all NetScaler NSIP, Cluster Management IP, and SNIP interfaces; document which have external or adjacent-network reachability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory o
Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability (CVE-2025-6543, CVSS 9.8) leading to unintended
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the a
Improper access control vulnerability in NetScaler ADC and NetScaler Gateway management interfaces that allows unauthent
Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CV
Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in Citrix
Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler
Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated atta
Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that prod
Denial of service in Citrix NetScaler ADC and NetScaler Gateway allows remote attackers to crash or render unresponsive
Memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway if the appli
Privilege Escalation to root administrator (nsroot). Rated high severity (CVSS 8.0), this vulnerability is low attack co
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40310
GHSA-jxcr-w9q6-gmhx