U.S. CISA adds Citrix Session Recording, and Git flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Citrix Session Recording, and Git flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Citrix Session Recording, and Git flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2024-8069 (CVSS score of 5.1) Citrix Session Recording Deserialization of Untrusted Data Vulnerability
• CVE-2024-8068 (CVSS score of 5.1) Citrix Session Recording Improper Privilege Management Vulnerability
• CVE-2025-48384 (CVSS score of 8.1) Git Link Following Vulnerability

CVE-2024-8069 is a limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording. An attacker who is an authenticated user on the same intranet as the session recording server can exploit this flaw.

CVE-2024-8068 is a privilege escalation to NetworkService Account access in Citrix Session Recording. An attacker who is an authenticated user in the same Windows Active Directory domain as the session recording server domain can exploit this flaw.

CVE-2025-48384 vulnerability resides in Git’s handling of configuration values and stems from how it processes carriage return (CR) characters. When Git writes a config entry, it does not properly preserve trailing CR values, leading to subtle alterations in paths that include them.

This becomes dangerous during submodule initialization: if the submodule path contains a trailing CR, Git interprets it incorrectly and checks out the submodule to the wrong location. An attacker could exploit this by creating a symlink from the altered path to the submodule’s hooks directory. If the submodule also contains a malicious, executable post-checkout hook, the script would run automatically after checkout—without the user’s awareness.

This flaw could enable remote code execution in scenarios where repositories with maliciously crafted submodules are cloned.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by September 15, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cisa)