CISA has released a critical security advisory highlighting three recently discovered vulnerabilities that are actively targeted by attackers.
On August 25, 2025, these high-risk Common Vulnerabilities and Exposures (CVEs) were added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signaling an urgent need for both government agencies and private organizations to act swiftly.
Key Highlights
- Two Citrix Session Recording CVEs and one Git CVE have been listed in the KEV Catalog.
- Citrix vulnerabilities require authenticated local access, while the Git flaw allows arbitrary code execution through symlinked hooks.
- Federal agencies are required to patch as per BOD 22-01, and all organizations should update systems immediately.
Citrix Session Recording Flaws
Two vulnerabilities specifically affect Citrix Session Recording, posing serious risks for organizations relying on this enterprise monitoring tool.
CVE-2024-8069 is a deserialization of untrusted data issue with a CVSS 4.0 score of 5.1 (Medium). It permits limited remote code execution under the NetworkService Account privileges. Exploiting this flaw requires the attacker to be an authenticated user on the same intranet as the session recording server.
The CVSS 4.0 vector is:CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
This represents Adjacent Network access, Low complexity, Low privileges, and no user interaction.
CVE-2024-8068 allows privilege escalation through improper privilege management (CWE-269) and carries the same CVSS score. Authenticated users on the same Windows Active Directory domain can escalate their privileges to NetworkService Account, potentially compromising the entire session recording system.
Affected Citrix versions include:
- 1912 LTSR before CU9 hotfix 19.12.9100.6
- 2203 LTSR before CU5 hotfix 22.03.5100.11
- 2402 LTSR before CU1 hotfix 24.02.1200.16
- 2407 Current Release before version 24.5.200.8
Git Configuration Vulnerability
The third vulnerability, CVE-2025-48384, impacts Git version control systems and has a CVSS 3.1 score of 8.1 (High).
It exploits CWE-59 (Improper Link Resolution Before File Access) and CWE-436 (Interpretation Conflict), allowing arbitrary code execution through mismanaged configuration quoting.
This flaw occurs when Git misinterprets paths with trailing CRLF characters during submodule initialization. Attackers can use symlinks to redirect these altered paths to submodule hooks directories, placing executable post-checkout hooks that run malicious scripts after checkout operations.
Affected Git versions: <2.43.7, <2.44.4, <2.45.4, <2.46.4, <2.47.3, <2.48.2, <2.49.1, <2.50.1
CVSS vector:CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H – Network access, High complexity, high impact
IOCs Table
| CVE | Vulnerability | CVSS Score | Severity | Exploit Type | Affected Systems |
|---|---|---|---|---|---|
| CVE-2024-8069 | Limited RCE via NetworkService | 8.8 | High | Remote Code Execution | Citrix Session Recording LTSR 1912, 2203, 2402, 2407 |
| CVE-2024-8068 | Privilege Escalation to NetworkService | 8.0 | High | Privilege Escalation | Citrix Session Recording LTSR 1912, 2203, 2402, 2407 |
| CVE-2025-48384 | Arbitrary code execution via Git config | 8.1 | High | Code Execution via Symlink | Git versions <2.43.7 – <2.50.1 |
Mitigation Steps
- Federal agencies must comply with BOD 22-01 to patch these KEV-listed vulnerabilities.
- All organizations should prioritize applying patches for these actively exploited flaws immediately.
- Assess exposure for Citrix Session Recording or Git-based workflows and deploy available fixes to prevent compromise.
CISA continues to expand the KEV Catalog based on in-the-wild evidence, underscoring the critical nature of these vulnerabilities.
Original Link: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
