NetScaler Times newsletter for Week 10 - 2025

New builds ahoy! 14.1 Appliance and Console plus a 12.1 FIPS update.

Hello Everyone

It’s Andrew again over at Cloud Software Group. This NetScaler Times update aims to keep you up-to-date! 🚀 Why read this? The idea is to pull together events, firmware releases, support articles, and anything else I think is relevant into a single email.

High-level agenda for this week:

• The NetScaler Times newsletter provides updates on firmware builds, security, and web resources.

• The latest firmware builds for NetScaler 14.1 Appliance and Console, plus 12.1 FIPS are available, with details on new features and fixes.

• NetScaler Security updates include CVE patches and a WAF signatures update.

• Web updates cover load balancing, URL filtering, and administration courses.

• US policy changes and Sticky Werewolf's (!) deployment of Lumma Stealer malware are highlighted.

• Feedback is welcomed for future newsletter improvements.

1. The latest firmware builds.

The details for the various builds have been listed below, as this helps plan for new releases in your environment. This support document has a lot more information on the different release cycles.

The NetScaler has multiple form factors to support different environments. NetScaler is built on a single operating system with a software-based architecture, so the behavior will be the same regardless of which is used — hardware, virtual machine, bare metal, or container. Pick one that works for you…

Latest Build Versions:

Here is a timeline for the 14.1 and 13.1 builds to show where they are within their respective release lifecycle.

Main build life cycles.

Here are all the firmware builds in a table:

All the recent builds.

A few updates this week, as shown by the red sections above.

NetScaler 14.1-43.50 updates.

The release notes are here

Analytics Infrastructure

• Auto-update `newnslog` parameters default values during the upgrade.

• Support for the 'Hostname' label in metrics export.

• Support to add or remove labels for metrics.

• Access metrics on NetScaler CPX without authentication.

• Support for metrics profile.

Authentication, authorization, and auditing

• Support for message authenticator in Radius access request.

Load Balancing

• DNS over HTTPS (DoH) Support.

NetScaler Gateway

• Support for TLS1.3 on NetScaler Gateway.

• Enhanced user experience with new UI.

• Web App Firewall protection for portal endpoints.

NetScaler SDX Appliance

• Alerts for license expiry.

• Alert for pooled or flexed licenses based on the expiry date.

• Support for non-nsroot users in admin profiles on SDX.

• Disk space extension for NetScaler instances on NetScaler SDX.

Networking

• Selective cluster node upgrade using PBS.

Platform

• LOM version 3.11.0.

• Removal of CentOS support.

• Support for IPv6 in DPDK mode.

SSL

• Automatic deletion of certificate and key files.

System

• The GLIBC version is required to install weblog binaries on Linux.

• Enhanced cache management with integrated caching.

• Global configuration for MaxClients or MaxRequestWorkers parameters in the httpd.conf file using NetScaler management settings.

NetScaler Console 14.1-43.50 update

The release notes are here

Analytics

• Migrate analytics from policy-based to profile-based configuration.

• Support to enable custom header in analytics settings to fetch the client IP address.

Infrastructure

• Removal of telemetry analytics profile from the managed NetScaler instances.

• Hostname in system event email notifications.

• Two-factor authentication (2FA) support with LDAP, RADIUS, and TACACS.

StyleBooks

• Import and synchronize StyleBooks from GitLab external repository.

• Support to update network profiles during configuration migration.

• Selecting multiple items from a StyleBook data source.

• Support a filter for data source collections.

NetScaler 12.1-55.325 FIPS update

The release notes are here. This build has these main changes:

Authentication, authorization, and auditing

• RADIUS authentication support on FIPS-certified appliances

• Traversal from the Root domain to the Tree domain for Kerberos SSO authentication is supported

Networking

• Customizable internal HTTPS service

• Platform

• Support for OpenSSH version 9.x

• VMware ESX 7.0 update 1c support on Citrix ADC VPX instance

SSL

• Support to ignore the common name if the subject alternate name (SAN) is present in the SSL certificate

System

• A new parameter was added to HTTP profile

User Interface

• Changing default RPC node passwords

Which release should I use?

The release families are designed such that 14.1 has more elements changing with each update, hence the feature phase designation. There will be fewer changes in 13.1, so unless you need a capability that is only available in the 14.1 release, the advice is to choose 13.1 for most production deployments.

An example of the move to 14.1, might be that you want to not need the ALB in Azure with your NetScaler HA deployment..read more here. Could save some $$$ or £££..

End Of Sale Appliances

These appliances are End of Sale (unavailable to buy new now), they will live and run for 5 more years from 2024.

EOL Appliances

Here is a table showing the significant EOL appliance events for the next 12 months. April looks to have a few appliances that will reach their end of life.

2. Latest NetScaler Security updates

CVE Updates from the 18th Feb

These three CVE’s were posted recently. There was a client update (the first one), a NetScaler Console update, and new information about something posted last summer. Something that is ‘interesting’, is that none of these triggered actual code updates in the latest release(s) of NetScaler / Console itself.

• Citrix Secure Access Client for Mac Security Bulletin for CVE-2025-1222 and CVE-2025-1223. The support doc is here

• CVE-2024-12284, Console vulnerability. The support doc is here

• CVE-2024-6387, OpenSSH issue update. The full post is here

Anil Shetty posted some supporting material about CVE-2024-12284: High-severity security update for NetScaler Console

Read more here

NetScaler WAF Signatures Update v146 updated on the 20th Feb

The latest version of its integrated Web App Firewall signatures helps customers mitigate several CVEs with varying CVSS scores. Link to details

3. NetScaler-related web updates from…

Set up basic load balancing | NetScaler 14.1

4 days ago — To enable load balancing by using the GUI. Navigate to System > Settings and, in Configure Basic Features, select Load Balancing. Configure a server object.

URL filtering | NetScaler 14.1 - Product Documentation

4 days ago — URL Filtering provides policy-based control of websites by using the information contained in URLs.

NetScaler ADC 14.x Administration (CNS201)

6 days ago — This course provides a thorough introduction to administering Citrix NetScaler ADC 14.x. Over five days, participants will explore NetScaler ADC features.

Configure NetScaler Gateway to support Enlightened Data

5 days ago — To configure NetScaler Gateway to support EDT using GUI, on the Configuration tab in the NetScaler GUI, expand NetScaler Gateway and select Virtual Servers.

Content Security Policy response header support for ...

5 days ago — The Content-Security-Policy (CSP) response header is a combination of policies that the browser uses to avoid Cross Site Scripting (CSS) attacks.

NetScaler Gateway VPN DNS Resolution issue with ...

7 hours ago — We have received several Windows 11 24H2 users are experiencing an internet connection issue after an hour or so after being connected to Citrix SSLVPN.

4. US Policy towards cybersecurity.

28 Feb 2025

The Trump administration has sent memos to CISA and US Cyber Command instructing cybersecurity staff to stop treating Russian hackers as a threat and halt operations targeting Russia. Both orders were issued around two weeks ago but were only first reported publicly on Friday.

In the first order, Defense Secretary Pete Hegseth ordered Cyber Command to shut down any operations targeting Russia. Martin Matishak reported for The Record that the exact duration of Hegseth's halt order is unknown but that it is set to be the branch's new policy going forward.

Read more here from Risky Business.

5. Sticky Werewolf deploys Lumma Stealer in Russia and Belarus

28 Feb 2025

The threat actor known as Sticky Werewolf (!) has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant.

More here from Hacker News.

6. Feedback for this newsletter

Naturally, if something you feel should be added/removed or called out, drop me a note; at Andrew.Scott@cloud.com. All mistakes are mine.

You can get all the previous newsletters plus other articles here:

Have a great week!