CVE-2025-12101

MEDIUM NUCLEI

NetScaler ADC/NetScaler Gateway - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-12101. PoCs published by 7amzahard, 6h4ack, boneys. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting reflected XSS (CVE-2025-12101) in Citrix NetScaler ADC/Gateway appliances. It sends a crafted SAMLResponse payload to `/cgi/logout` and checks for reflection of a `<script>alert(1)</script>` payload in the response.

Description

Cross-Site Scripting (XSS) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Exploits (3)

github SCANNER 8 stars
by 7amzahard · pythonpoc
https://github.com/7amzahard/CVE-2025-21202-exploit

This repository contains a Python-based scanner for detecting reflected XSS (CVE-2025-12101) in Citrix NetScaler ADC/Gateway appliances. It sends a crafted SAMLResponse payload to `/cgi/logout` and checks for reflection of a `<script>alert(1)</script>` payload in the response.

Classification
Scanner 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Citrix NetScaler ADC and Gateway appliances
No auth needed
Prerequisites: Network access to the target appliance · Appliance configured with Gateway or AAA virtual server role
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 3 stars
by 6h4ack · poc
https://github.com/6h4ack/CVE-2025-12101-checker

This repository contains a Python-based proof-of-concept (PoC) for CVE-2025-12101, a reflected XSS vulnerability in Citrix NetScaler ADC/Gateway. The script sends a crafted SAMLResponse and RelayState payload to the /cgi/logout endpoint and checks if the payload is reflected in the response.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Citrix NetScaler ADC/Gateway
No auth needed
Prerequisites: Network access to the target Citrix NetScaler ADC/Gateway instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by boneys · poc
https://github.com/boneys/CVE-2025-12101-Scanner-PoC

This is a multi-threaded scanner for CVE-2025-12101, a reflected XSS vulnerability in Citrix NetScaler via SAML RelayState. It verifies the vulnerability by injecting a unique marker in the payload and checking for its presence in the response.

Classification
Scanner 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Citrix NetScaler
No auth needed
Prerequisites: Network access to the target Citrix NetScaler instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Citrix NetScaler ADC & Gateway - Reflected XSS / Open Redirect
MEDIUMVERIFIEDby DhiyaneshDK,watchtowr
Shodan: http.title:"citrix gateway"

References (1)

Core 1

Scores

CVSS v4 5.9
EPSS 0.0189
EPSS Percentile 83.7%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (8)
NetScaler/ADC 12.1-FIPS and NDcPP - 55.333
NetScaler/ADC 13.1 - 60.32
NetScaler/ADC 13.1-FIPS and NDcPP - 37.250
NetScaler/ADC 14.1 - 56.73
NetScaler/Gateway 12.1-FIPS and NDcPP - 55.333
NetScaler/Gateway 13.1 - 60.32
NetScaler/Gateway 13.1-FIPS and NDcPP - 37.250
NetScaler/Gateway 14.1 - 56.73
Published Nov 11, 2025
Tracked Since Feb 18, 2026