CVE-2024-8069

Published Nov 12, 2024

Last updated a day ago

Exploit knownCVSS medium 5.1
Citrix Session Recording

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-8069 is a deserialization of untrusted data vulnerability that affects Citrix Session Recording. Exploitation of this vulnerability allows a remote threat actor to execute arbitrary code on the server. The attacker needs network access to the target system, which must have a deployed Session Recording service. The attacker must also send a malicious serialized request to the MSMQ endpoint over HTTP. This vulnerability can lead to limited remote code execution with the privilege of a NetworkService Account. An attacker who is an authenticated user on the same intranet as the session recording server can exploit this flaw.

Description
Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server
Source
secure@citrix.com
NVD status
Analyzed
Products
session_recording

Insights

Analysis from the Intruder Security Team
Published Nov 13, 2024

Watchtowr have released a technical article about this vulnerability and its discovery. The details within the article, and poc video call into question the official vulnerability information released by Citrix.

The exploit chain used by Watchtowr relies on sending a HTTP request to the MSMQ which the vulnerable software utilises. By default, MSMQ doesn't operate over HTTP. However, Citrix have enabled a feature which will allow any host to directly communicate to it via HTTP. With this information and the evidence laid out by Watchtowr, it is clear that this is an attack in which an unauthenticated attacker can exploit a vulnerable instance remotely. Thus, this CVSS score should be in the high 9's.

What isn't certain is if the discrepancy in vulnerability details is down to the triager at Citrix not fully understanding the exploit chain, or if it is more malicious whereby another vendor is attempting to downplay the severity of a vulnerability within their software.

Following the release of the proof of concept on the 12th of November 2024, the Shadowserver foundation have witnessed attempts at exploitation.

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.1
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
8
Impact score
5.9
Exploitability score
2.1
Vector string
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Citrix Session Recording Deserialization of Untrusted Data Vulnerability
Exploit added on
Aug 25, 2025
Exploit action due
Sep 15, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

secure@citrix.com
CWE-502

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

26

  1. CISA adds Citrix vulnerabilities CVE-2024-8069 and CVE-2024-8068 to KEV catalog. Critical zero-day CVE-2025-7775 in NetScaler ADC/Gateway actively exploited, causing remote code execution. #CitrixRisks #NetScalerFlaws #USA https://t.co/DyZ4vHdoZt

    @TweetThreatNews

    26 Aug 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CISA alerts on a critical Git flaw (CVE-2025-48384) enabling arbitrary code execution via crafted submodules in config files. Citrix Session Recording bugs CVE-2024-8068 & CVE-2024-8069 also noted. Updates available from Git v2.43.7. #GitVulnerability #USA https://t.co/pBsmWJ

    @TweetThreatNews

    26 Aug 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Cisa added 3️⃣ Dangerous vulnerability to Kev. Two relate to Citrix Session Recording (Cve-2024-8068, Cve-2024-8069) and allow increase privileges and implementation code. The third - Cve-2025-48384 In git with CVSS 8.1, can lead to Launch harmful code While cloning repositor

    @Hack_Your_Mom

    26 Aug 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CISA added three actively exploited vulnerabilities to KEV catalog impacting Citrix Session Recording (CVE-2024-8068, CVE-2024-8069) and Git (CVE-2025-48384), enabling privilege escalation and code execution. #Citrix #GitFlaw #USA https://t.co/QJjk7oXQXW

    @TweetThreatNews

    26 Aug 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. ⚠️Citrix製品とGitの脆弱性が悪用される、米CISAがKEVカタログに追加(CVE-2024-8069、CVE-2024-8068、CVE-2025-48384) 〜サイバーアラート8月26日〜 https://t.co/AWpmkysT8J #セキュリティ #インテリジェンス #OSINT

    @MachinaRecord

    26 Aug 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2024-8069 #Citrix Session Recording Deserialization of Untrusted Data Vulnerability https://t.co/sNmxeYuCle

    @ScyScan

    25 Aug 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🛡️ We added Citrix and Git vulnerabilities CVE-2024-8068, CVE-2024-8069, & CVE-2025-48384 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwapzIN & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec https://t.co/0Hu

    @CISACyber

    25 Aug 2025

    16394 Impressions

    59 Retweets

    148 Likes

    30 Bookmarks

    5 Replies

    2 Quotes

  8. 1/10 Urgent Alert: Citrix Session Recording vulnerabilities (CVE-2024-8068 & CVE-2024-8069) are under active exploitation. Patch now! #CyberSecurityAlert #CitrixVuln 🚨🔒

    @Eth1calHackrZ

    2 Dec 2024

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. #ThreatProtection #CVE-2024-8068, #CVE-2024-8069 - Citrix Session Recording RCE #Vulnerability, read more about Symantec's protection: https://t.co/p6g62pwMxO

    @threatintel

    27 Nov 2024

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 2/10 🔍 Vulnerabilities Unveiled: 1. CVE-2024-8068: Privilege escalation to NetworkService. 2. CVE-2024-8069: Limited RCE as NetworkService. Update now to protect your systems! #CyberVulnerabilities

    @Eth1calHackrZ

    25 Nov 2024

    27 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. De multiples tentatives d'exploitation observées pour deux vulnérabilités d'enregistrement de sessions Citrix (CVE-2024-8068 et CVE-2024-8069) https://t.co/Otwqa5PBIL

    @cert_ist

    21 Nov 2024

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Actively exploited CVE : CVE-2024-8069

    @transilienceai

    21 Nov 2024

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. 🚨 CVE-2024-8068 & CVE-2024-8069: Citrix Session Recording Manager Unauthenticated RCE is actively being exploited. https://t.co/hTKeS4v9Ah https://t.co/9fBUULr12D

    @IntCyberDigest

    18 Nov 2024

    462 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  14. #Cybersecurity researchers have disclosed new #security flaws (CVE-2024-8068 & CVE-2024-8069) impacting #Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated RCE. https://t.co/pkIeFCFh3c https://t.co/dIPlnqmkmZ

    @twelvesec

    14 Nov 2024

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. csirt_it: ‼ #Citrix: disponibile #PoC per lo sfruttamento della CVE-2024-8069 che interessa il prodotto #CitrixVirtualAppsandDesktops Rischio: 🟠 Tipologia: 🔸Remote Code Execution 🔗 https://t.co/CVXf9B164m 🔄 Aggiornamenti disponibili 🔄 https://t.co/hAuBHZK0R8

    @Vulcanux_

    14 Nov 2024

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. ‼ #Citrix: disponibile #PoC per lo sfruttamento della CVE-2024-8069 che interessa il prodotto #CitrixVirtualAppsandDesktops Rischio: 🟠 Tipologia: 🔸Remote Code Execution 🔗 https://t.co/J6agrWFEoL 🔄 Aggiornamenti disponibili 🔄 https://t.co/jouu9zBJMK

    @csirt_it

    14 Nov 2024

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 🚨Vulnerabilidades en Citrix Virtual Apps permiten ataques RCE a través de una mala configuración de MSMQ CVE-2024-8068 CVE-2024-8069 https://t.co/7i5sFBgkHb

    @elhackernet

    13 Nov 2024

    3225 Impressions

    14 Retweets

    59 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  18. Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069 → https://t.co/0MYc2PpA6L

    @ripjyr

    12 Nov 2024

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. We started seeing Citrix Virtual Apps and Desktops CVE-2024-8068/CVE-2024-8069 PoC based attempts at around 16:00 UTC today, shortly after publication. While there is discussion on whether these are remotely exploitable without auth, we urge you to update your installations NOW

    @Shadowserver

    12 Nov 2024

    11254 Impressions

    39 Retweets

    69 Likes

    34 Bookmarks

    2 Replies

    0 Quotes

  20. Please see our latest Citrix Session Recording Security Bulletin regarding CVE-2024-8068 and CVE-2024-8069. Citrix urges affected customers to install the relevant updated versions as soon their upgrade schedule permits: https://t.co/k2QQAQoyQs

    @citrix

    12 Nov 2024

    2778 Impressions

    2 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    1 Quote

  21. CVE-2024-8068 & CVE-2024-8069: Citrix Session Recording Manager Unauthenticated RCE Exploits Publicly Available Discover the critical vulnerabilities in Citrix Session Recording Manager that allow unauthenticated RCE on Citrix Virtual Apps and Desktops. https://t.co/QLwpDlZX

    @the_yellow_fall

    12 Nov 2024

    1466 Impressions

    14 Retweets

    24 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

Configurations