CISA Issues Alert on Citrix Vulnerabilities Under Active Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) announced today the addition of three newly observed vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on confirmed evidence of active exploitation by malicious actors.

These inclusions underscore the persistent threat posed by deserialization flaws, improper privilege management, and link-following bugs in widely used enterprise software.

CISA’s KEV Catalog, established under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, mandates that Federal Civilian Executive Branch (FCEB) agencies remediate listed vulnerabilities by specified due dates to defend networks against active threats.

Although BOD 22-01 applies only to FCEB agencies, CISA strongly urges all organizations to integrate KEV Catalog remediation priorities into their vulnerability management programs.

The three newly cataloged CVEs are summarized below:

Citrix Session Recording vulnerabilities (CVE-2024-8069 and CVE-2024-8068) exploit flaws in the handling of session data and the enforcement of user privileges.

Deserialization of untrusted input is a long-standing security risk that can lead to arbitrary code execution when attackers manipulate serialized objects.

Improper privilege management, on the other hand, allows threat actors to bypass intended access controls, granting elevated permissions beyond their authorization level.

The Git Link-Following Vulnerability (CVE-2025-48384) represents a newer category of risk, whereby maliciously constructed repositories contain symlinks or URL references that a cloning operation inadvertently follows.

This can expose users or automated systems to unauthorized file access or the injection of sensitive credentials, which is particularly dangerous for continuous integration/continuous deployment (CI/CD) pipelines and automated build environments.

BOD 22-01 defines the KEV Catalog as a living document of actively exploited CVEs with significant risk to the federal enterprise.

FCEB agencies must adhere to the specified remediation timelines detailed in the BOD 22-01 Fact Sheet to maintain compliance and network security.

The directive also guides patch prioritization, risk assessment, and reporting requirements.

While BOD 22-01’s binding requirements are limited to federal agencies, CISA emphasizes the broader importance of KEV Catalog vulnerabilities.

All organizations—private sector, academia, and critical infrastructure operators—are urged to:

1. Continuously monitor the KEV Catalog for newly added vulnerabilities.
2. Assess their environment for exposure to cataloged CVEs.
3. Prioritize patch deployment or implement compensating controls promptly.

Timely remediation helps mitigate the window of opportunity for attackers and strengthens resilience against emerging threat vectors.

CISA will continue to update the KEV Catalog with vulnerabilities that meet the established criteria, providing a central resource for organizations to track and defend against known exploits.

This product is provided subject to CISA’s Notification and Privacy & Use policy.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates