Navigation section

CISA Adds 3 KEV Exploited CVEs: Citrix Session Recording & Git Risks

  • Thread Author
CISA’s August 25 alert that it has added three new flaws to the Known Exploited Vulnerabilities (KEV) Catalog should be treated as a red alert for IT teams: two significant issues in Citrix Session Recording (CVE-2024-8068 and CVE-2024-8069) and a client-side Git link-following vulnerability (CVE-2025-48384) are now listed based on evidence of active exploitation.

Data center hallway with rows of server racks and a KEV: Known Exploited Vulnerabilities label.Background​

The Cybersecurity and Infrastructure Security Agency’s KEV Catalog is a policy-backed inventory of vulnerabilities that CISA has observed being actively exploited in the wild. It exists to force accelerated remediation across federal civilian agencies under Binding Operational Directive (BOD) 22-01, and — while BOD 22-01 applies directly to Federal Civilian Executive Branch agencies — CISA strongly urges private sector organizations to treat KEV entries as immediate, high-priority remediation items.
BOD 22-01 established the KEV as a living list and prescribes strict remediation timelines: by default, vulnerabilities assigned a CVE before 2021 have a six-month remediation window, and those assigned in 2021 or later have a default two‑week remediation window — unless CISA specifies otherwise due to grave risk. Agencies are expected to automate tracking and reporting, and to take isolation or removal actions for assets that cannot be remediated in time.

What CISA Added (Quick summary)​

  • CVE-2024-8069 — Citrix Session Recording: Deserialization of untrusted data leading to limited remote code execution under specific conditions. (cisa.gov, support.citrix.com)
  • CVE-2024-8068 — Citrix Session Recording: Improper privilege management that can lead to privilege escalation to the NetworkService account when prerequisites are met. (cisa.gov, support.citrix.com)
  • CVE-2025-48384 — Git link-following vulnerability: a client-side issue where specially crafted repository data can cause post-checkout hooks to execute unexpectedly; fixed in a set of patched Git releases. (cisa.gov, nvd.nist.gov, github.blog)
These entries were added because CISA found reliable evidence of exploitation, meeting KEV criteria: a CVE ID, clear remediation guidance, and proof of active exploitation.

Deep dive: Citrix Session Recording vulnerabilities​

Technical summary​

Citrix Session Recording is used to capture and store user session video/audio and metadata in many enterprise VDI and application-delivery environments. Two separate issues in the product were documented:
  • CVE-2024-8069 (Deserialization of Untrusted Data): An attacker who is authenticated and on the same intranet as the Session Recording server can feed crafted serialized data that is deserialized insecurely, potentially achieving limited remote code execution under the privileges of the service. Citrix’s bulletin reports a CVSS v4.0 base score of 5.1 for this issue and notes the exploitation precondition of being an authenticated intranet user.
  • CVE-2024-8068 (Improper Privilege Management): This vulnerability allows an authenticated user in the same Windows Active Directory domain as the session recording server to escalate privileges to the NetworkService account, again with a reported CVSS v4.0 base score of 5.1. The vector requires domain-level authentication, which narrows the blast radius but still represents a significant risk in many enterprise deployments.

Impact and exploitation scenarios​

Both vulnerabilities assume an authenticated attacker within the network or domain. That prerequisite reduces the probability of external, unauthenticated internet-wide compromise, but does not remove the severity:
  • In organizations where remote or contractor users, thin-clients, or desktop virtualization are commonplace, lateral movement or credential compromise could let attackers reach the necessary trust boundary.
  • The privilege escalation to NetworkService can be used to access networked resources or impersonate machine identities; in some configurations, this can act as a stepping stone to domain compromise.
  • Deserialization issues historically have been weaponized into reliable remote code execution chains where an attacker can chain an ability to supply malicious serialized objects with deserialization logic flaws. Even “limited” remote code execution is dangerous if it allows persistence or privileged access.
Citrix’s response is prescriptive: apply the indicated hotfixes or upgraded releases for each affected channel (Current Release and multiple LTSR releases). The product vendor published specific hotfix versions that remediate both issues.

Remediation (Citrix guidance)​

  • Install the vendor-provided hotfixes for your specific Session Recording release:
  • CR: 2407 hotfix 24.5.200.8 and later.
  • LTSR: appropriate CU/hotfixes for 1912, 2203, 2402 as listed in Citrix documentation.
  • If you cannot apply the hotfix immediately, isolate Session Recording servers, restrict access to the management interfaces to trusted admin subnets, and harden authentication controls.
  • Review logs for anomalous session recording activity and validate integrity of recorded artifacts and hook scripts.
Because Citrix explicitly documents the attacker preconditions and the fixed versions, these CVEs met the KEV criteria and were added to the catalog. Failure to patch within an organization’s BOD-type timeline leaves Session Recording servers an attractive target for opportunistic intruders.

Deep dive: Git link-following vulnerability (CVE-2025-48384)​

Technical summary​

CVE-2025-48384 is a client-side link-following / path manipulation issue in Git’s handling of configuration values and submodule initialization:
  • Git’s config read/write behavior could strip a trailing carriage return (CR) when reading but not preserve it when writing. That mismatch can cause a submodule path containing a trailing CR to be interpreted incorrectly on checkout.
  • If a symlink points from the altered path to a repository’s hooks directory and the submodule contains an executable post-checkout hook, that hook may inadvertently execute during clone/checkout operations — enabling execution of attacker-supplied code on clients that perform the clone. (nvd.nist.gov, github.blog)
This is primarily a client-side attack; servers (e.g., GitLab instances) are not directly vulnerable in their server role, but clients and CI runners that clone and build untrusted content are exposed. Git maintainers assigned fixes across many point releases to mitigate the issue. (support.gitlab.com, github.blog)

Impact and exploitation scenarios​

  • The vulnerability allows an attacker controlling repository contents (or a malicious contributor in a supply-chain attack) to craft repository metadata that causes client-side post-checkout hooks to run with the privileges of the user performing the clone.
  • CI/CD runners, local developer machines, and container build environments that automatically run operations after checkout (or that use recursive submodules) are particularly at risk.
  • This class of attack is attractive for supply-chain adversaries who can get code consumed by target build systems.

Remediation and mitigations​

  • Upgrade Git clients to patched versions. The Git project and downstream vendors documented the fixed releases; recommended patched versions include Git v2.50.1 (and a matrix of 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1** covering different branches). (github.blog, nvd.nist.gov)
  • Avoid recursively cloning submodules from untrusted repositories; disable automatic submodule recursion in CI for unvetted repositories.
  • Consider disabling automatic execution of hooks in build pipelines, or run build processes in tightly isolated sandboxes with least-privilege execution contexts.
  • If upgrading immediately is impossible, apply configuration mitigations such as disabling bundle URI auto-fetching (transfer.bundleURI=false) and avoiding use of certain credential helpers on Windows.
GitLab and other vendors also warned that Git clients embedded in base images or CI runners must be updated; container images and shared runners are a high-priority remediation target because they can enable widespread downstream exposure.

Why these KEV additions matter now​

  • Active exploitation is real — KEV entries require reliable evidence of exploitation. CISA’s August 25 alert confirms that attackers are already targeting these vulnerabilities, which moves them from theoretical to operational risk.
  • Different exposure models — the Citrix flaws require authenticated, in-domain or intranet attackers, while the Git vulnerability is client-side and may be triggered by simply cloning or checking out crafted repositories. Both exposure models exist across enterprise environments. (support.citrix.com, nvd.nist.gov)
  • Supply-chain and lateral-movement risk — Git exploitation can be used for supply-chain attacks or to escape build isolation. Citrix escalation can be a lateral-movement enabler in VDI/virtual app deployments. Together they illustrate the diverse vectors adversaries will chain to maximize impact. (support.citrix.com, github.blog)
  • Policy-driven urgency — for FCEB agencies the KEV listing triggers BOD 22-01 remediation timelines; for the private sector the KEV listing signals a practical standard of care that should accelerate patching schedules.

Practical remediation plan for IT teams (ordered, operational)​

  • Inventory & triage
  • Immediately identify all instances of Citrix Session Recording and all hosts running git client tooling or acting as CI runners/build images.
  • Map each asset to owner, business impact, and patching windows.
  • Apply vendor fixes
  • For Citrix Session Recording, apply the hotfix versions appropriate for your release stream (CR or LTSR) as listed by Citrix. Prioritize Session Recording servers reachable from user networks or with broad authentication exposure.
  • For Git, upgrade client binaries in developer machines, CI runners, container base images, and build systems to the patched versions listed by Git/GitHub/GitLab. If you use packaged distributions (apt, yum), monitor those repos for vendor backports and use your update-management system to schedule immediate rollouts. (github.blog, support.gitlab.com)
  • Short-term mitigations
  • Isolate vulnerable servers or limit their accessible interfaces to admin subnets and jump hosts.
  • Disable untrusted recursive submodule operations in CI; run clones with strict flags and in ephemeral, isolated containers.
  • For Citrix Session Recording, restrict who can authenticate to those services and enforce MFA for any management/administrative accounts.
  • Detection & monitoring
  • Add or tune telemetry to detect:
  • Unexpected post-checkout hook execution or new hook file creation during clone operations.
  • Unexpected NetworkService process elevation or unusual service account activity on Session Recording hosts.
  • Anomalous outbound connections from Session Recording servers or developer workstations after a clone operation.
  • Use EDR and SIEM to capture suspicious child-process trees, newly spawned shells from git clients, and creation of executables in checkout directories.
  • Communicate & coordinate
  • Notify internal stakeholders and downstream teams that manage CI/CD pipelines, image builds, and VDI environments.
  • If you are a federal agency, follow BOD 22-01 reporting and remediation tracking guidance. For private sector, adopt a similarly auditable approach and maintain change-control logs documenting emergency patching and rollback plans.
  • Post-patch validation
  • Confirm the hotfixes and upgrades are correctly installed and that services behave as expected in test corridors before broad rollout.
  • Run integrity checks on artifacts and validate that previously observed malicious indicators are not present.

Detection signatures and SIEM rule ideas (practical examples)​

  • Alert on process creation: git.exe or git (on Linux) spawning scripts or shell interpreters in temporary workspaces immediately after clone/checkouts.
  • Alert on unexpected writes to .git/hooks or creation of executable files in workspace directories during clone/unpack operations.
  • Alert on unusual NetworkService access patterns or service account impersonation events on Session Recording servers.
  • Create correlation rules that link a repository clone event on a build host with subsequent outbound connections or process anomalies within a short time window.
These rules should be tuned to reduce false positives — for example, only escalate when clones come from new, untrusted remotes or when hooks appear in repos where hooks are normally absent.

Risk analysis: strengths and weaknesses of the threat set​

Strengths (what makes these vulnerabilities dangerous)​

  • Real-world exploitation: KEV additions mean adversaries have weaponized these flaws. That translates to exploit code availability, scanning, and likely commodity use.
  • Multiple vectors: The mix of server-side deserialization/privilege escalation (Citrix) and client-side supply chain-style exploitation (Git) allows adversaries to leverage different intrusion paths depending on target architectures. (support.citrix.com, github.blog)
  • Broad impact surface: Citrix Session Recording sits in many enterprise virtualization stacks; Git clients are ubiquitous in developer workflows and CI/CD pipelines, increasing potential impact. (support.citrix.com, support.gitlab.com)

Weaknesses (what limits the damage)​

  • Authentication prerequisite for Citrix issues reduces remote unauthenticated risk; attackers generally need to be on the intranet or have domain credentials to exploit the Citrix flaws. That focus narrows attack surface compared to internet-facing, unauthenticated RCEs.
  • Client-side nature of the Git bug means that server operators are not directly compromised by hosting vulnerable repositories — the risk is to consumers of repositories. Good CI hygiene and sandboxing reduce blast radius.
Given those factors, the practical security posture is mixed: immediate fixes reduce both avenues, but organizations with weak internal segmentation or unmanaged developer endpoints remain highly vulnerable.

Policy implications and BOD 22-01 compliance​

For federal agencies, adding these CVEs to the KEV Catalog invokes BOD 22-01 remediation obligations and reporting expectations. Agencies must reconcile their internal asset database against the KEV listing, schedule and execute remediation within the required window, or demonstrate compensating controls such as network isolation. Failure to comply can lead to escalated oversight and loss of mission-critical authorizations.
Private-sector risk managers should treat KEV inclusions as practical standard of care — not only to reduce breach risk, but also because insurers, partners, and customers will expect rapid remediation once a vulnerability is listed as “known exploited.” The KEV listing often accelerates vendor risk reviews and penetration testing schedules.

What defenders should watch for next​

  • Public exploit proof-of-concept (PoC) code or automated scanners targeting CVE-2024-8068 / CVE-2024-8069 and CVE-2025-48384. Once PoCs circulate, opportunistic attackers and script kiddies will scale campaigns.
  • Supply-chain abuse: malicious packages or pull requests designed to trigger the Git client bug inside CI systems.
  • Lateral escalation patterns in VDI environments where compromised user sessions are used to reach Session Recording infrastructure.
Organizations should prioritize telemetry collection and threat-hunting focused on these vectors for the next 30–90 days.

Final recommendations (concise checklist)​

  • Patch Citrix Session Recording immediately using vendor hotfixes targeted to your release stream.
  • Upgrade all Git clients in developer endpoints, CI runners, and container base images to patched versions (including v2.50.1 or the vendor-specific patched builds). (github.blog, support.gitlab.com)
  • Restrict access, isolate vulnerable assets, and disable risky automatic behaviors (recursive submodules, auto-execution of hooks) where feasible. (github.blog, support.citrix.com)
  • Implement detection rules to capture unexpected hook execution, network service privilege escalations, and anomalous process trees tied to git operations.
  • Follow BOD 22-01 timelines if you are an FCEB agency; otherwise adopt an aggressive, auditable remediation program aligned to KEV guidance.

Conclusion​

CISA’s addition of CVE-2024-8068, CVE-2024-8069, and CVE-2025-48384 to the Known Exploited Vulnerabilities Catalog is a reminder that both server-side enterprise software and ubiquitous developer tooling remain favorite targets for adversaries. The Citrix flaws show how intranet-level and domain-authenticated attackers can escalate privileges or run code, while the Git bug highlights the persistent risk of supply-chain and client-side execution vectors. Patching, isolation, and improved telemetry are non-negotiable next steps — and organizations that treat KEV listings as operational priority will materially reduce their exposure to the active campaigns CISA observed. (cisa.gov, support.citrix.com, github.blog)
Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CISA Adds Three Exploited CVEs to KEV Catalog: IE, Excel, WinRAR (2025)
Replies
0
Views
694
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds 3 Actively Exploited KEV CVEs: Linux Kernel TOCTOU, Android ART, Sitecore RCE
Replies
0
Views
476
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds CVE-2025-5777 to KEV Catalog: Urgent Action Needed for Citrix Vulnerability
Replies
0
Views
433
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds CVE-2025-7775 to KEV: Urgent Patch for Citrix NetScaler
Replies
0
Views
415
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA KEV Adds N-central CVEs 8875/8876: Urgent MSP Remediation
Replies
0
Views
333
ChatGPT
ChatGPT
Back
Top