Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SAML IDP endpoint is remotely reachable and unauthenticated (PR:N, AV:N, AC:L); memory overread yields high confidentiality and crash-driven availability impact, with no integrity effect (I:N).
Primary rating from Vendor (50a63c94-1ea7-4568-8c11-eb79e7c5a2b5).
CVSS VectorVendor: 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured as a SAML IDP
Articles & Coverage 2
AnalysisAI
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the NetScaler ADC or NetScaler Gateway appliance be configured as a SAML identity provider (IDP) - this is the exact, named precondition from the description and is the primary limiting factor, since default deployments not using NetScaler as a SAML IDP are not exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward elevated but conditional risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an internet-facing NetScaler Gateway acting as a SAML IDP and sends crafted SAML protocol requests to the IDP endpoint without authenticating. The missing input validation triggers an out-of-bounds read, and the appliance returns fragments of process memory that may contain session tokens or other sensitive data, which the attacker harvests to hijack sessions or pivot. … |
| Remediation | Apply the fixed firmware build published by Citrix in advisory CTX696604 (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604); no vendor-released patch version is enumerated in the provided input data, so retrieve the exact upgrade target for your release train directly from that advisory - Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all NetScaler ADC/Gateway instances in SAML IDP mode; disable SAML IDP functionality if business-critical alternatives exist; enable detailed request/response logging on identity provider endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory o
Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability (CVE-2025-6543, CVSS 9.8) leading to unintended
Improper access control vulnerability in NetScaler ADC and NetScaler Gateway management interfaces that allows unauthent
Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CV
Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in Citrix
Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler
Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated atta
Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that prod
Denial of service in Citrix NetScaler ADC and NetScaler Gateway allows remote attackers to crash or render unresponsive
Memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway if the appli
Arbitrary file read in Citrix NetScaler ADC and NetScaler Gateway lets unauthenticated attackers on an adjacent network
Privilege Escalation to root administrator (nsroot). Rated high severity (CVSS 8.0), this vulnerability is low attack co
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40305
GHSA-6659-v5cc-894x