Connect with Us!
Subscribe to receive new blog post from PureID in your mail box
Citrix Patches Critical Bugs, Breaks Logins in the Process
Citrix recently issued some patches for its NetScaler product line and cautioned that they potentially create crashes in login pages on ADC and Gateway/VDI appliances. The login page crashes could happen when patching to builds 14.1.47.46 or 13.1.59.19, which set the Content Security Policy (CSP) header to "ON" by default.
CSP is designed to protect your organization from attackers using malicious inline scripts, and protect from attacks such as cross-site scripting, code injection, and clickjacking attacks. However, this also disables legitimate inline scripts that are being used for DUO authentication through Radius, any custom SAML authentication configurations, and possibly other identity providers using inline or external scripts. This error can create login portals that will not load or not function correctly.
Purpose of the Patches
The patch addresses two high-risk vulnerabilities:
- CVE-2025-5777 (Citrix Bleed 2) allows attackers to over read memory buffers of Citrix Netscaler ADC & Gateways, which allows an attacker access restricted memory segments & read user credentials, session tokens or sensitive data like private keys or MFA seeds to do unauthorised authentication and also carry out lateral movement.
- CVE-2025-6543 is a memory overflow vulnerability affecting Citrix NetScaler ADC and Gateway triggering unintended control flow, resulting in to crash or denial of service. The vulnerability is being actively exploited to launch denial-of-service attacks to disrupt system availability.
Citrix chose to distribute the changes immediately to help secure environments, but enabling CSP by default also created a unique user experience problem for multiple users that utilize authentication systems.
Who is affected
If your environment has login failures due to the configuration with any of the following, it is probable you will run into issues:
- DUO with Radius-based multi-factor authentication
- Custom SAML integrations
- Identity providers that leverage external/inline scripts
- Authentication flows that are incompatible with strict CSP policies
These environments utilize scripts and/or resources which are now blocked in CSP.
Temporary Fix
To regain access to your login experience, Citrix recommends the following:
- Disable the CSP header from the NetScaler UI or command line.
- Clear the server and browser cache to apply the changes right away.
- Access the login page from the NetScaler Gateway portal.
- If you continue to have problems, contact Citrix Support and provide current configuration and details of your previous fixes.
Last Takeaway: Patch, But Prepare
Security fixes are mandatory, but there will be implications when environments are not developed for stricter policies. You can patch your environments to ensure continued protection, but you should review the IDP configuration to ensure compatibility with CSP moving forward. The goal is to have security while still presenting secure options to users.
Using PureID's PureAUTH to authenticate to critical servers eliminates the possibilities of credential thefts or password spraying attacks. Administrators can also have shorter sessions enforcing smooth but frequent logins to ensure the risk due to stolen session tokens is minimised without compromising user experience.