What is CISA warning about regarding Citrix vulnerabilities?

CISA is warning of active exploitation of vulnerabilities in Citrix Session Recording solutions. Despite patches being available for several months, there are still unpatched systems that are being actively attacked.

What are the two Citrix vulnerabilities being actively exploited?

The two vulnerabilities are CVE-2024-8069 (Citrix Session Recording Deserialization of Untrusted Data Vulnerability) and CVE-2024-8068 (Citrix Session Recording Improper Privilege Management Vulnerability), both with CVSS scores of 5.1.

What does CVE-2024-8069 allow attackers to do?

CVE-2024-8069 is a Deserialization of Untrusted Data Vulnerability that allows authenticated attackers who are on the same intranet as the Session Recording server to feed crafted serialized data that is processed insecurely, potentially achieving code execution with elevated privileges.

What does CVE-2024-8068 enable for attackers?

CVE-2024-8068 is an Improper Privilege Management Vulnerability that could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain.

When were the Citrix vulnerabilities patched and who discovered them?

The vulnerabilities were patched by Citrix in November 2024 following responsible disclosure by watchTowr Labs on July 14, 2024.

What is the deadline for US Agencies to patch these Citrix vulnerabilities?

US Agencies must patch these Citrix Session Recording vulnerabilities by September 15, 2025.

What are the CVSS scores for the Citrix vulnerabilities?

Both CVE-2024-8069 and CVE-2024-8068 have CVSS scores of 5.1.

Attack

Cisa warns of actively exploited flaws in Citrix

published: Aug. 26, 2025

Take action: If you are using Citrix and Virtual apps, the time for debate is over. Yes, the severity is low, but the flaws are being exploited. So don't wait, update your Citrix installations NOW!

Learn More

CISA is warning of active exploitation in Citrix. The vulnerabilities affect organizations using Citrix Session Recording solutions.

Vulnerabilities summary:

CVE-2024-8069 (CVSS score 5.1), Citrix Session Recording Deserialization of Untrusted Data Vulnerability. It allows authenticated attackers who are on the same intranet as the Session Recording server to feed crafted serialized data that is processed insecurely, potentially achieving code execution with elevated privileges.
CVE-2024-8068 (CVSS score 5.1), Citrix Session Recording Improper Privilege Management Vulnerability. It could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain. This weakness enables threat actors to escalate privileges beyond their authorized access levels.

The flaws were patched by the company in November 2024 following responsible disclosure by watchTowr Labs on July 14, 2024. Despite patches being available for several months, there are still unpatched systems that are being actively attacked.

US Agencies must patch by September 15, 2025.

Cisa warns of actively exploited flaws in Citrix

Read More
CISA confirms exploitation of two BeyondTrust flaws, urges …
Hackers actively exploit the GitLab 'Forgot Your Password' …
Active attacks reported against end-of-life Zyxel NAS devices
Critical Roundcube Webmail vulnerability exploited within days of …
CISA warns of GeoServer critical flaw under active …