CISA Warns of Citrix RCE and Privilege Escalation Vulnerabilities Exploited in Attacks

CISA has issued a critical alert regarding three newly identified vulnerabilities being actively exploited by threat actors.

On August 25, 2025, CISA added these high-risk Common Vulnerabilities and Exposures (CVEs) to its Known Exploited Vulnerabilities (KEV) Catalog, signaling immediate concern for federal agencies and private organizations alike.

Key Takeaways

1. CISA added two Citrix Session Recording CVEs and one Git CVE to its KEV Catalog.

2. Citrix flaws require authenticated local access; Git flaw exploits symlinked hooks for arbitrary code.

3. Federal agencies must patch per BOD 22-01; all organizations should update immediately.

Citrix Session Recording Vulnerabilities 

Two of the three vulnerabilities target Citrix Session Recording infrastructure, presenting significant security risks for organizations utilizing this enterprise monitoring solution. 

CVE-2024-8069, classified as a deserialization of untrusted data vulnerability with a CVSS 4.0 score of 5.1 (Medium), enables limited remote code execution with NetworkService Account privileges. 

The vulnerability leverages CWE-502 (Deserialization of Untrusted Data) weakness, allowing authenticated attackers on the same intranet as the session recording server to execute arbitrary code.

The attack vector requires the threat actor to be an authenticated user within the target network, utilizing the CVSS 4.0 vector string CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. 

This indicates Adjacent Network access with Low complexity, requiring Low privileges but no user interaction.

CVE-2024-8068 represents a privilege escalation vulnerability with identical CVSS scoring, exploiting CWE-269 (Improper Privilege Management). 

This flaw allows authenticated users within the same Windows Active Directory domain to escalate privileges to NetworkService Account access, potentially compromising the entire session recording infrastructure.

Both Citrix vulnerabilities affect multiple Long Term Service Release (LTSR) versions, including 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, 2402 LTSR before CU1 hotfix 24.02.1200.16, and the 2407 Current Release before version 24.5.200.8.

Git Link Following Vulnerability 

The third addition, CVE-2025-48384, affects Git version control systems with a higher CVSS 3.1 score of 8.1 (High). 

This vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) and CWE-436 (Interpretation Conflict), enabling arbitrary code execution through broken configuration quoting mechanisms.

The attack leverages Git’s handling of carriage return and line feed (CRLF) characters in configuration values. 

When initializing submodules with trailing CR characters in the path, Git incorrectly processes the altered path, potentially allowing symlink-based attacks. 

If an attacker creates a symlink pointing the altered path to the submodule hooks directory and includes an executable post-checkout hook, malicious scripts may execute unintentionally after checkout operations.

The vulnerability affects Git versions prior to 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1, with the CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H indicating Network access with High complexity but potentially catastrophic impact.

Mitigations

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these KEV-listed vulnerabilities by their specified due dates. 

CISA strongly recommends that all organizations prioritize remediation of these actively exploited vulnerabilities. 

The agency continues expanding the KEV Catalog based on evidence of in-the-wild exploitation, emphasizing the critical nature of these security flaws for both public and private sector entities.

Organizations should immediately assess their exposure to these vulnerabilities, particularly those utilizing Citrix Session Recording infrastructure or Git-based development workflows, and implement available patches to prevent potential compromise.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.