CISA adds Citrix and Git vulnerabilities to Known Exploited Vulnerabilities (KEV) catalog

OOverview

On 25 August 2025, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an alert adding three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The KEV catalog lists vulnerabilities with evidence of active exploitation and is part of Binding Operational Directive 22‑01, which requires Federal Civilian Executive Branch agencies to remediate listed flaws by specified deadlines. Although the directive applies to federal agencies, CISA urges all organizations to prioritize patching KEV-listed vulnerabilities.

Newly added vulnerabilities

1. CVE‑2024‑8069 – Citrix Session Recording Deserialization of Untrusted Data: An attacker can exploit improper handling of serialized data in Citrix Session Recording to achieve remote code execution.
2. CVE‑2024‑8068 – Citrix Session Recording Improper Privilege Management: This flaw allows privilege escalation through incorrect privilege validation in the same product.
3. CVE‑2025‑48384 – Git Link Following Vulnerability: When handling Git repositories, improper link following could allow attackers to traverse directories and access files outside the repository.

CISA did not provide technical details on exploitation but noted that these vulnerabilities are frequent attack vectors and pose significant risks to the federal enterprise.

Implications for organizations

Because the vulnerabilities have been observed in active attacks, organizations using Citrix Session Recording or Git should assume systems are at risk. Attackers can exploit deserialization or privilege‑management flaws in Citrix Session Recording to execute arbitrary code or elevate privileges. The Git vulnerability can expose sensitive files and credentials if attackers can trick users into cloning or accessing a malicious repository.

Recommended actions

1. Apply vendor patches: Update Citrix Session Recording to the latest version as soon as patches are available. Ensure that Git clients/servers are updated to mitigate the link‑following issue.
2. Review access controls: Limit access to recording servers and repositories; ensure that only trusted users can execute code or manage sessions.
3. Monitor logs: Watch for unusual activity such as unexpected deserialization errors, privilege escalation events or repository file access.
4. Follow CISA KEV guidance: Subscribe to CISA alerts and track remediation deadlines to stay compliant with federal directives.

Conclusion

CISA’s KEV catalog is a living list of vulnerabilities that have been exploited in the wild. Adding the Citrix Session Recording and Git flaws underscores that even well‑established tools can harbor serious vulnerabilities. Organizations should patch swiftly and incorporate KEV monitoring into their vulnerability management programs to reduce exposure.verview

On 25 August 2025, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an alert adding three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The KEV catalog lists vulnerabilities with evidence of active exploitation and is part of Binding Operational Directive 22‑01, which requires Federal Civilian Executive Branch agencies to remediate listed flaws by specified deadlines. Although the directive applies to federal agencies, CISA urges all organizations to prioritize patching KEV-listed vulnerabilities.

Newly added vulnerabilities

1. CVE‑2024‑8069 – Citrix Session Recording Deserialization of Untrusted Data: An attacker can exploit improper handling of serialized data in Citrix Session Recording to achieve remote code execution.
2. CVE‑2024‑8068 – Citrix Session Recording Improper Privilege Management: This flaw allows privilege escalation through incorrect privilege validation in the same product.
3. CVE‑2025‑48384 – Git Link Following Vulnerability: When handling Git repositories, improper link following could allow attackers to traverse directories and access files outside the repository.

CISA did not provide technical details on exploitation but noted that these vulnerabilities are frequent attack vectors and pose significant risks to the federal enterprise.

Implications for organizations

Because the vulnerabilities have been observed in active attacks, organizations using Citrix Session Recording or Git should assume systems are at risk. Attackers can exploit deserialization or privilege‑management flaws in Citrix Session Recording to execute arbitrary code or elevate privileges. The Git vulnerability can expose sensitive files and credentials if attackers can trick users into cloning or accessing a malicious repository.

Recommended actions

1. Apply vendor patches: Update Citrix Session Recording to the latest version as soon as patches are available. Ensure that Git clients/servers are updated to mitigate the link‑following issue.
2. Review access controls: Limit access to recording servers and repositories; ensure that only trusted users can execute code or manage sessions.
3. Monitor logs: Watch for unusual activity such as unexpected deserialization errors, privilege escalation events or repository file access.
4. Follow CISA KEV guidance: Subscribe to CISA alerts and track remediation deadlines to stay compliant with federal directives.

Conclusion

CISA’s KEV catalog is a living list of vulnerabilities that have been exploited in the wild. Adding the Citrix Session Recording and Git flaws underscores that even well‑established tools can harbor serious vulnerabilities. Organizations should patch swiftly and incorporate KEV monitoring into their vulnerability management programs to reduce exposure.