The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The list of vulnerabilities is as follows –
- CVE-2024-8068 (CVSS score: 5.1) – An improper privilege management vulnerability in Citrix Session Recording that could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain
- CVE-2024-8069 (CVSS score: 5.1) – A deserialization of untrusted data vulnerability in Citrix Session Recording that allows limited remote code execution with the privileges of a NetworkService Account access when an attacker is an authenticated user on the same intranet as the session recording server
- CVE-2025-48384 (CVSS score: 8.1) – A link following vulnerability in Git that arises as a result of inconsistent handling of carriage return (CR) characters in configuration files, resulting in arbitrary code execution
Both the Citrix flaws were patched by the company in November 2024 following responsible disclosure by watchTowr Labs on July 14, 2024. CVE-2025-48384, on the other hand, was addressed by the Git project earlier this July. A proof-of-concept (PoC) exploit was released by Datadog following public disclosure.
“If a submodule path contains a trailing CR, the altered path can cause Git to initialize the submodule in an unintended location,” Arctic Wolf said about CVE-2025-48384. “When this is combined with a symlink pointing to the submodule hooks directory and an executable post-checkout hook, cloning a repository can result in unintended code execution.”
As is typically the case, CISA has provided no further technical details on the exploitation activity, or who may be behind them. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by September 15, 2025, to secure their networks against active threats.
