CISA Alerts on Active Exploitation of Citrix Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on August 25, 2025, highlighting active exploitation of critical vulnerabilities affecting Citrix Session Recording and Git systems.

The additions include CVE-2024-8069 and CVE-2024-8068 in Citrix Session Recording, alongside CVE-2025-48384 in Git, all of which pose significant risks to federal enterprises and require immediate remediation action.

The two Citrix vulnerabilities target the Session Recording component of Citrix Virtual Apps and Desktops, a feature that captures user activities for compliance and troubleshooting purposes.

CVE-2024-8069 allows limited remote code execution with NetworkService Account privileges when an authenticated user operates on the same intranet as the session recording server.

The vulnerability stems from deserialization of untrusted data using Microsoft’s BinaryFormatter, which Microsoft explicitly warns cannot be made secure.

CVE-2024-8068 represents a privilege escalation vulnerability that grants NetworkService Account access to authenticated users within the same Windows Active Directory domain as the session recording server.

Security researchers at watchTowr, who discovered these vulnerabilities, dispute Citrix’s medium severity rating (CVSS 5.1), arguing they constitute “point-click-full-takeover” scenarios that enable unauthenticated remote code execution.

The controversy centers on whether exploitation requires authentication, with watchTowr demonstrating that the vulnerabilities can be exploited through a carelessly-exposed Microsoft Message Queuing (MSMQ) instance accessible via HTTP.

Affected versions include Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8 (Current Release), 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, and 2402 LTSR before CU1 hotfix 24.02.1200.16.

Exploitation attempts began appearing within hours of public disclosure, with the Shadowserver Foundation reporting active scanning and exploitation attempts targeting these vulnerabilities.

Citrix Vulnerabilities

CVE-2025-48384 affects Git installations on Linux and macOS systems, carrying a CVSS score of 8.1 and enabling arbitrary file write leading to potential code execution.

The vulnerability exploits Git’s improper handling of carriage return characters in submodule paths during repository cloning operations.

When using git clone --recursive on a maliciously crafted repository, the vulnerability can cause Git to initialize submodules in incorrect locations, potentially triggering malicious post-checkout hooks.

This vulnerability particularly threatens developers who regularly work with third-party code, as it can be exploited through seemingly innocent repository clones.

Windows installations remain unaffected due to different control character handling mechanisms.

Fixed versions include v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1, with proof-of-concept exploit code publicly available.

Federal Remediation Requirements

CISA’s addition of these vulnerabilities to the KEV Catalog triggers mandatory remediation requirements under Binding Operational Directive (BOD) 22-01.

Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities within two weeks for CVEs assigned after 2021, while vulnerabilities with CVE IDs assigned prior to 2021 require remediation within six months.

The directive establishes the KEV Catalog as the authoritative source for vulnerabilities carrying significant risk to the federal enterprise, requiring agencies to update internal vulnerability management procedures and report remediation status through the CDM Federal Dashboard.

Although BOD 22-01 applies specifically to federal agencies, CISA strongly urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practices.

The rapid addition of these vulnerabilities underscores the accelerating pace of exploitation, with research showing that 28.3% of new KEVs in 2025 were exploited within one day of CVE disclosure.

Organizations should implement automated KEV monitoring, establish emergency patching procedures for newly listed vulnerabilities, and strengthen network controls to limit attack surfaces during remediation periods.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.