The Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on August 25, 2025, signaling active exploitation of flaws in Citrix Session Recording and the Git client. The move triggers mandatory remediation timelines for federal agencies and raises the alarm for private-sector organizations that rely on these widely deployed tools.
CVE-2024-8068, CVE-2024-8069, and CVE-2025-48384 now join the living list of security defects that CISA has confirmed are being weaponized in the wild. Two of the vulnerabilities affect Citrix Session Recording, a component used in enterprise virtual desktop and application delivery environments to capture user session audio, video, and metadata. The third is a client-side link-following bug in Git, the ubiquitous version control system, that can be triggered by simply cloning a maliciously crafted repository.
The KEV Catalog: A Policy-Driven Alarm
CISA’s KEV Catalog was established under Binding Operational Directive (BOD) 22-01 to force accelerated remediation of vulnerabilities known to be actively exploited. While the directive applies only to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly urges all organizations to treat KEV entries as immediate, high-priority patches. BOD 22-01 sets default remediation windows: vulnerabilities with CVE IDs assigned before 2021 have a six-month grace period, while those assigned in 2021 or later must be patched within two weeks—unless CISA specifies a different deadline due to grave risk.
For the three new additions, the two-week clock is already ticking. The August 25 alert confirms that attackers are actively exploiting these flaws, elevating them from theoretical risks to operational emergencies.
Inside Citrix Session Recording’s Dual Flaws
Citrix Session Recording is a staple in many enterprise VDI and application-delivery stacks. The two newly listed vulnerabilities, though requiring authentication, pose a significant threat to organizations where internal segmentation is weak or contractors have network access.
CVE-2024-8069: Deserialization of Untrusted Data
This vulnerability allows an attacker who is authenticated and on the same intranet as the Session Recording server to feed crafted serialized data that is deserialized insecurely. Success can lead to limited remote code execution under the privileges of the service. Citrix assigned it a CVSS v4.0 base score of 5.1, noting the prerequisite of being an authenticated intranet user.
CVE-2024-8068: Improper Privilege Management
An authenticated user in the same Windows Active Directory domain as the Session Recording server can exploit improper privilege management to escalate to the NetworkService account. That account level can access networked resources or impersonate machine identities, making it a valuable stepping stone toward broader domain compromise. The CVSS v4.0 base score is also 5.1.
Real-World Impact
Both flaws assume an attacker already has a foothold inside the network or domain. In many environments, that foothold can be gained through credential theft, social engineering, or exploiting a less critical vulnerability. Once exploited, an attacker can persist on the recording server, tamper with audit logs, or pivot to more sensitive systems. Deserialization bugs, in particular, have a long history of being chained with other exploits to achieve full remote code execution.
Citrix’s Response and Patch Matrix
Citrix published a security bulletin detailing hotfixes for all affected release streams:
- Current Release (CR) 2407: Hotfix 24.5.200.8 and later
- Long Term Service Release (LTSR) 1912, 2203, 2402: Cumulative update or hotfix releases as listed in the bulletin
If immediate patching is impossible, Citrix recommends isolating Session Recording servers, restricting management-interface access to trusted admin subnets, and hardening authentication controls.
Git Client-Side Link-Following Vulnerability (CVE-2025-48384)
The Git vulnerability is a different beast—one that puts developers, CI/CD pipelines, and container build systems squarely in the crosshairs.
Technical Breakdown
Git’s configuration handling can strip a trailing carriage return (CR) when reading a submodule path but fail to preserve it when writing. A mismatch occurs when a submodule path containing a trailing CR is interpreted incorrectly during checkout. If a symlink exists that points from the altered path to the repository’s hooks directory, and the submodule contains an executable post-checkout hook, that hook can be executed—allowing an attacker to run arbitrary code on the victim’s machine.
This is entirely a client-side attack. Servers hosting repositories are not directly vulnerable, but any client that clones or checks out a booby-trapped repository is at risk. Attackers who control repository contents—whether through a malicious commit, a pull request, or a supply-chain compromise—can weaponize this flaw to compromise developer workstations or build infrastructure.
Impact on CI/CD and Developer Environments
Automated pipelines that recursively clone submodules from untrusted sources are particularly exposed. A single poisoned repository checked out inside a CI runner can lead to execution of arbitrary commands, potentially allowing lateral movement or exfiltration of secrets. Local developer machines are equally vulnerable if they clone untrusted code.
Patch Versions and Mitigations
The Git project released fixes across multiple maintenance tracks. Patched versions include:
- Git v2.50.1 (and the following: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1)
Organizations should upgrade all Git clients—including those embedded in container base images, CI runner VMs, and developer laptops. If upgrading immediately isn’t feasible, mitigations include:
- Disabling recursive submodule cloning for untrusted repositories
- Avoiding automated execution of hooks in build pipelines
- Setting
transfer.bundleURI=falseand being cautious with certain credential helpers on Windows
GitLab, GitHub, and other platform vendors have also published advisories urging users to update their Git installations.
Why These Additions Demand Immediate Attention
Three factors make this KEV update especially pressing.
- Confirmed exploitation: CISA does not add a vulnerability to the KEV Catalog without reliable evidence of active exploitation. That evidence means exploit code is likely circulating, and commodity attacks are already underway.
- Dual exposure vectors: The Citrix flaws exploit the trerprise interior—intranet and domain-level access—while the Git flaw targets the developer supply chain from the outside. Together, they cover two common attack surfaces in modern organizations.
- Regulatory and insurance pressure: For FCEB agencies, BOD 22-01 mandates immediate remediation tracking and reporting. For everyone else, KEV listing often triggers vendor risk assessments, revised cyber insurance requirements, and accelerated penetration testing.
A Practical Remediation Plan for IT Teams
Security teams should move quickly on multiple fronts.
Immediate Triage
- Inventory all Citrix Session Recording servers, noting release versions and network placement. Identify which servers are reachable from user subnets or have broad authentication exposure.
- Catalog every environment that runs a Git client: developer machines, CI runners, container images, and any build agents that clone repositories. If you use shared runners or golden images, update those first.
Patch Deployment
- Citrix Session Recording: Apply the hotfix corresponding to your release stream (CR 2407 hotfix 24.5.200.8+, or LTSR CU/hotfixes). Schedule change windows immediately; roll back only if post-patch validation fails.
- Git clients: Roll out patched Git binaries via endpoint management or by rebuilding base images with v2.50.1 (or the appropriate backported version). Update package-manager sources and force upgrades on developer workstations.
Short-Term Defensive Measures
- Isolate Session Recording servers behind jump hosts and enforce Multi-Factor Authentication (MFA) for all administrative access.
- Disable recursive submodule cloning in CI pipelines; instead, clone only explicitly trusted submodules.
- Run builds inside ephemeral, least-privilege containers that block outgoing internet access.
- Audit any scheduled tasks or services running under the NetworkService account on Citrix Session Recording hosts.
Detection and Monitoring
Enhance telemetry to catch exploitation attempts:
- Alert on process creation where
git.exe(orgiton Linux) spawns scripts or shell interpreters in temporary directories immediately following a clone. - Monitor
.git/hooksdirectories for unexpected file writes during clone or checkout operations. - Watch for unusual NetworkService process elevation or anomalous service account logons on Session Recording hosts.
- Correlate repository clone events with outbound network connections from build hosts.
Validation and Communication
- Confirm hotfix installations via version checks and test Session Recording functionality in a non-production environment.
- Notify development teams, DevOps engineers, and VDI administrators of the patches and the risk of delay.
- If you manage CI/CD pipelines for downstream consumers, ensure those pipelines also run patched Git clients.
Policy and Compliance: Beyond the Federal Mandate
Though BOD 22-01 applies only to FCEB agencies, the KEV Catalog has become a de facto standard for vulnerability remediation across sectors. Auditors, insurers, and business partners increasingly expect organizations to treat KEV-listed flaws as critical. Failing to patch within a reasonable window can lead to contractual non-compliance, higher cyber insurance premiums, or even loss of coverage.
Agencies must report remediation status to CISA and demonstrate either patch deployment or compensating controls. Private organizations would be wise to adopt similar documentation: maintain change tickets, capture before-and-after vulnerability scans, and prepare for potential audits.
Looking Ahead: The Next 90 Days
With public proof-of-concept code often appearing shortly after a KEV listing, defenders should brace for an uptick in scanning and exploitation attempts. Two trends warrant special attention:
- Supply-chain attacks via Git: Malicious pull requests or poisoned packages designed to trigger the Git client bug inside CI environments.
- Lateral movement in VDI environments: Already-compromised user sessions being used to reach Session Recording infrastructure, leveraging the Citrix flaws for persistence or data theft.
Threat-hunting teams should prioritize these vectors for the rest of the quarter. EDR, SIEM, and application logs are the most valuable data sources for spotting early indicators.
The Bottom Line
CISA’s addition of CVE-2024-8068, CVE-2024-8069, and CVE-2025-48384 to the KEV Catalog is not a routine Tuesday. It is a clear signal that attackers are actively breaking into networks through these exact weaknesses. Whether you manage a federal enclave or a commercial DevOps shop, the response must be the same: locate every vulnerable instance, patch it, and harden your environment to limit the blast radius. The fixes exist. The only missing ingredient is speed.