Citrix administrators are being advised to act quickly—not just to patch two critical vulnerabilities in NetScaler ADC and Gateway appliances, but also to prevent login disruptions that may follow.
Authentication Bypass and DoS Bugs Force Emergency Patch—and New CSP Configuration Conflicts
Citrix has released patches addressing two serious vulnerabilities affecting NetScaler ADC and Gateway appliances—CVE-2025-5777 and CVE-2025-6543. The first, dubbed Citrix Bleed 2, allows attackers to hijack user sessions and bypass authentication. The second is already being exploited in denial-of-service attacks.
However, the company is now warning that customers may experience broken login pages after applying the fix. The issue stems from a new default setting introduced in builds 14.1-47.46 and 13.1-59.19, where the Content Security Policy (CSP) header is now enabled by default.
While CSP is designed to protect against cross-site scripting and code injection by blocking unauthorized content execution, it also interferes with some legitimate configurations—including DUO Radius authentication, custom SAML setups, and third-party Identity Providers (IDPs) using non-compliant scripts.
“There’s an issue related to authentication that you may observe after upgrading NetScaler… This can manifest as a ‘broken’ login page,” Citrix said in a customer advisory.
“This behavior can be attributed to the Content Security Policy (CSP) header being enabled by default… especially when CSP was not enabled prior to the upgrade.”
Temporary Fix: Disable CSP Header and Clear Cache
Until a more refined solution is available, Citrix is recommending that administrators manually disable the CSP header if login issues arise after patching. This can be done via the UI or command line. Admins must also clear the cache to ensure the change takes immediate effect.
Once disabled, organizations should verify whether access to the authentication portal has been restored. If the login page still appears broken or if SSO integrations fail, Citrix advises contacting support with details of the current configuration and steps already taken.
“Please reach out to the support team so that we can identify the issue with CSP and fix it for your configuration,” the company noted in a second advisory.
What’s at Stake: Session Hijacking and Live Exploits
CVE-2025-5777 enables unauthorized actors to hijack sessions and gain access without credentials—a vulnerability that attackers can exploit for privilege escalation, data access, or lateral movement inside a network.
The second flaw, CVE-2025-6543, is already being used in the wild to carry out denial-of-service attacks. Combined, these flaws pose a high operational risk to organizations using NetScaler devices for load balancing, secure application delivery, and VPN access.
Citrix is urging all affected customers to patch immediately, even if temporary workarounds are needed to restore authentication services.
Application Security and Recovery Must Go Hand in Hand
As updates introduce stricter security controls like CSP, enterprises must ensure their authentication stack remains functional—especially when layered with third-party SSO, MFA, or federated ID systems.
And in the event attackers do succeed—through delayed patching or misconfiguration—organizations need a resilient recovery strategy to restore encrypted or compromised assets.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
