On August 25, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by incorporating three security flaws that have been actively exploited. These vulnerabilities impact Citrix Session Recording and Git, posing significant risks to organizations utilizing these technologies.
Detailed Overview of the Vulnerabilities:
1. CVE-2024-8068 (CVSS Score: 5.1): This vulnerability pertains to improper privilege management within Citrix Session Recording. An authenticated user, operating within the same Windows Active Directory domain as the session recording server, could exploit this flaw to escalate their privileges to the NetworkService Account level. Such an escalation could grant unauthorized access to sensitive data and critical system functions.
2. CVE-2024-8069 (CVSS Score: 5.1): Also affecting Citrix Session Recording, this vulnerability involves the deserialization of untrusted data. An authenticated user on the same intranet as the session recording server could exploit this flaw to execute limited remote code with the privileges of the NetworkService Account. This could potentially lead to unauthorized actions and system compromises.
3. CVE-2025-48384 (CVSS Score: 8.1): This vulnerability is found in Git and arises from inconsistent handling of carriage return (CR) characters in configuration files. An attacker could exploit this flaw to execute arbitrary code by manipulating submodule paths containing trailing CR characters. This manipulation can cause Git to initialize submodules in unintended locations, leading to potential security breaches.
Patch and Mitigation Efforts:
Citrix addressed both CVE-2024-8068 and CVE-2024-8069 in November 2024, following responsible disclosure by watchTowr Labs on July 14, 2024. Organizations using Citrix Session Recording are strongly advised to ensure their systems are updated to these patched versions to mitigate potential risks.
The Git vulnerability, CVE-2025-48384, was rectified by the Git project in July 2025. Following the public disclosure, Datadog released a proof-of-concept (PoC) exploit, highlighting the critical nature of this flaw. Organizations utilizing Git should promptly update to the latest version to safeguard against potential exploits.
Implications and Recommendations:
The inclusion of these vulnerabilities in the KEV catalog underscores the importance of proactive cybersecurity measures. Organizations are urged to:
– Assess and Update Systems: Conduct thorough assessments to identify if their systems are affected by these vulnerabilities and apply the necessary patches without delay.
– Monitor for Exploitation Attempts: Implement monitoring mechanisms to detect any signs of exploitation related to these vulnerabilities.
– Enhance Security Protocols: Review and strengthen security protocols, especially concerning privilege management and data serialization processes, to prevent similar vulnerabilities in the future.
CISA’s Directive to Federal Agencies:
In response to the active exploitation of these vulnerabilities, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies implement the required mitigations by September 15, 2025. This directive aims to secure federal networks against potential threats arising from these vulnerabilities.
Conclusion:
The active exploitation of vulnerabilities in widely used platforms like Citrix Session Recording and Git highlights the ever-present challenges in cybersecurity. It is imperative for organizations to remain vigilant, promptly apply security patches, and continuously enhance their security measures to protect against evolving threats.
