Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
Articles & Coverage 3
AnalysisAI
An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management.
Technical ContextAI
The vulnerability resides in the SAML Identity Provider functionality of NetScaler products. SAML (Security Assertion Markup Language) is an XML-based standard for single sign-on and federation. When NetScaler ADC or Gateway is configured as a SAML IDP, it processes SAML authentication requests and generates assertions. The root cause, classified under CWE-125 (Out-of-bounds Read), indicates that the affected code fails to properly validate the length or bounds of user-supplied input before using it in a memory read operation. This could occur during parsing of SAML request parameters, metadata fields, or assertion elements. Attackers can craft malformed SAML requests to cause the parser to read beyond allocated buffer boundaries, exposing adjacent memory regions that may contain sensitive data such as session tokens, cryptographic keys, or other authentication secrets. The CPE identifiers cpe:2.3:a:netscaler:adc:*:*:*:*:*:*:*:* and cpe:2.3:a:netscaler:gateway:*:*:*:*:*:*:*:* indicate that all versions of both products are potentially affected.
RemediationAI
Organizations should immediately consult Citrix KB article CTX696300 (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300) to obtain patched versions when they become available and apply updates according to Citrix's guidance. Until patches are deployed, implement the following interim mitigations: restrict network access to NetScaler SAML endpoints to only trusted identity providers and relying parties using firewall rules or network segmentation; disable SAML IDP functionality if not actively required; implement network monitoring and rate limiting on SAML endpoints to detect anomalous request patterns; review SAML request logs for malformed or oversized inputs; and consider placing NetScaler instances behind additional authentication or inspection layers. Organizations with critical dependencies on SAML authentication should prioritize patching once available and consider staging updates in test environments first given the sensitivity of identity infrastructure.
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as r
Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory o
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build
Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability (CVE-2025-6543, CVSS 9.8) leading to unintended
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the a
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal. Rated critical s
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection. Rated critical severit
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 3 of
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 2 of
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14546
GHSA-wv7p-q4p2-p6pf