NetScaler Times newsletter for Week 26 - 2025
A summary from the CVE's last week. Plus Policy labels!
Hello Everyone
It’s Andrew with the latest edition of the NetScaler Times, an update to keep you up-to-date on all things NetScaler-related! The idea is to pull together events, firmware releases, support articles, and anything else I think is relevant into a single email, as email is the future!
High-level agenda for this week:
The newsletter covers policy labels, the latest firmware builds (including recent security updates for versions 13.1 and 14.1), and recent NetScaler security updates issued on June 17th (CVE-2025-5349 & CVE-2025-5777, CVE-2025-4879, CVE-2025-4365).
It also includes information on End of Sale and End of Life appliances, and NetScaler-related web updates.
Feedback for the newsletter can be sent to Andrew.Scott@cloud.com.
1. Policy labels
My colleague, Magnus, created this document.
Overview
This article examines the concept of policy labels and gives a few examples of how they might be useful.
If you have ever used nFactor authentication, most likely, you have been exposed to policy labels. However, they can be used in more places. Some examples are together with responder, rewrite, and content switch policies.
What are policy labels?
A policy label can be seen as a container where one or more policies are bound. The policy label is invoked when a policy expression is evaluated as true.
More here
2. The latest firmware builds.
Below are the details for the various builds, which can help you plan for new releases in your environment. This support document provides additional information on the various release cycles.
NetScaler has multiple form factors to support different environments. It is built on a single operating system with a software-based architecture, so its behaviour will be the same regardless of whether it is used as hardware, a virtual machine, bare metal, or a container. Select one that works for your environment and needs.
Latest Build Versions:
Here is a timeline for the 14.1 and 13.1 builds to show where they are within their respective release lifecycle.
Here are all the firmware builds in a table:
Quite a few build updates last week, mostly related to the security updates.
Notes about Builds:
The above is a summary taken from the NetScaler Section here.
For 13.1 FIPS & NDcPP builds: On the downloads page, there are two places to get the 13.1 NDcPP build. The FIPS build is dual-certified now and slightly newer than the NDcPP-only build. It's one to watch if you use those builds.
FIPS FAQ - NetScaler FIPS FAQ - Link
NetScaler 13.1-58.32 release.
This build has these new capabilities/updates, plus the security updates.
Build 13.1-58.32 and later builds address the security vulnerabilities described in CTX693420. This build replaces 13.1-58.21.
LOM version 3.11.0
LOM version 3.11.0 is now available for the following platforms. This version addresses multiple functional issues.
SDX 9100
SDX 16000
For more information, see the Lights Out management port of the NetScaler SDX appliance.
The full release notes are here
NetScaler FIPS builds - 13.1/12.1.13.1 NDcPP
Build 13.1-37.235 and later builds address the security vulnerabilities described in CTX693420. This build replaces 13.1-37.232.
NetScaler Console 14.1-47.46 release
Build 14.1-47.46 and later builds address the security vulnerabilities described in CTX694729.
NetScaler Console 13.1-58.32 release.
Build 13.1-58.32 and later builds address the security vulnerabilities described in CTX694729. This build replaces 13.1-58.21.
Which release should I use?
The release families are designed so that 14.1 has more elements changing with each update, hence the feature phase designation. Due to its maintenance phase, 13.1 will have fewer changes now.
An example of the move to 14.1 might be that you want to take advantage of removing the dependency of ALB in Azure with your NetScaler HA deployment. Read more here. This could save some $$$ (insert local currency).
Also, a recent customer request included plans to build a new Azure infrastructure. This was not expected to be a short-term deployment. Looking at the build cycles above, it would make sense to start looking at 14.1 for this. This would avoid re-architecting the solution next year when 13.1 moves to CVE-only support.
What about NetScaler SDX?
There are multiple NetScaler designations. VPX, MPX, SDX, BLX, and CPX all use the same firmware. The table above applies to all NetScaler types. It might not be the same download file, as appliances like the SDX do have other elements to update.
End Of Sale Appliances & End of Life Appliances
The lists below have the recent appliance status changes. These have been revised to be a bit more exhaustive.
EoS Appliances
These appliances are End of Sale (unavailable to buy new now), they will live and run for 5 more years from 2024/2023. Just add 5 years to the EoS date to get the EOL.
EOL Appliances
A table shows the EOL appliance events for the last 18 months. April had a few appliances reach their end of life and must be replaced (to get support). The MPX/SDX 16000 is the replacement in most cases.
I pulled these summary tables from the official site here. Just open and expand the NetScaler section.
2. Latest NetScaler Security updates
On June 17th, the following were issued.
1. NetScaler ADC & Gateway Security Bulletin for CVE-2025-5349 & CVE-2025-5777.
Support ref: CTX693420. Status: Critical
Full support doc: Link
2. Citrix Workspace app for Windows Security Bulletin CVE-2025-4879.
Support ref: CTX694718. Status: High
Full support doc: Link
3. NetScaler Console and NetScaler SDX (SVM) Security Bulletin for CVE-2025-4365 –
Support ref: CTXCTX694729. Status: Medium
Full support doc: Link
NetScaler WAF Signatures Update v153 was updated on the 6th June.
New signature rules are generated for the vulnerabilities identified in the week 2025-06-02. You can download and configure these signature rules to protect your appliance from security vulnerable attacks.
Cyber team write-up is here
Link to details.
3. NetScaler-related web updates from last week…
The CVEs were a big news item; these are covered above..
NetScaler 14.1 - Product Documentation
4 days ago — NetScaler is an application delivery controller that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer ...
NetScaler Application Delivery Management 14.1
4 days ago — The 14.1 release of NetScaler Application Delivery Management provides new features and enhancements. These new features and the enhancements to existing ...
NetScaler Console and NetScaler SDX (SVM) Security ...
5 days ago — The following supported versions of NetScaler Console are affected: NetScaler Console 14.1 BEFORE 14.1.47.46; NetScaler Console 13.1 BEFORE 13.1.58.32..
Getting started | NetScaler Console service
6 days ago — Getting started · Step 1: Sign Up for Citrix Cloud · Step 2: Manage NetScaler Console with an Express account · Step 3: Select a NetScaler deployment type.
4. Feedback for this newsletter
Naturally, if something you feel should be added/removed, or called out, drop me a note at Andrew.Scott@cloud.com. All mistakes are mine 🤭. All opinions expressed in this newsletter are solely my own and do not express the views or opinions of my employer.
You can get all the previous newsletters plus other articles here:
Have a great week!