On February 18, 2025, Cloud Software Group released builds to fix CVE-2024-12284, which affects NetScaler Console. This vulnerability has been discovered in NetScaler Console (formerly NetScaler ADM) and NetScaler Console Agent and has been assigned a CVSS score of 8.8.
The issue arises due to inadequate privilege management and could be exploited by an authenticated malicious actor to execute commands without additional authorization. However, only authenticated users with existing access to the NetScaler Console can exploit this vulnerability, thereby limiting the threat surface to only authenticated users. Cloud Software Group recommends configuring external authentication for NetScaler Console as a best practice.
Additionally, the potential impact on self-managed NetScaler Console is minimal because the current pre-condition of NetScaler Agent being deployed significantly reduces the blast radius.
The following supported versions of NetScaler Console and NetScaler Console Agent are affected:
- NetScaler Console & NetScaler Agent 14.1 before 14.1-38.53
- NetScaler Console & NetScaler Agent 13.1 before 13.1-56.18
Since there are no mitigation steps available for this vulnerability, if you are running the impacted versions of on-premises NetScaler Console and NetScaler Console Agent, we recommend that you upgrade your deployment to the following builds:
- NetScaler Console & NetScaler Agent 14.1-38.53 and later releases
- NetScaler Console & NetScaler Agent 13.1-56.18 and later releases
If you are using Citrix-managed NetScaler Console Service, you do not need to take any action. You can find more details in the security bulletin.
Update installation
Download permanent fixes for NetScaler Console
NetScaler and Citrix are both part of Cloud Software Group, and we share the same ticketing system. If you encounter issues when you are updating your affected builds, please contact Citrix Customer Support, irrespective of whether your product includes NetScaler branding or Citrix branding.