The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are actively being used in the wild. Two of these flaws affect Citrix Session Recording, while the third targets Git. All three vulnerabilities pose real-world risks to enterprise systems, especially those lacking timely patching.
The Citrix flaws—CVE-2024-8068 and CVE-2024-8069—both score 5.1 on the CVSS scale. CVE-2024-8068 allows privilege escalation to a NetworkService Account when exploited by an authenticated user within the same Active Directory domain. CVE-2024-8069 is more insidious, allowing remote code execution via deserialization of untrusted data, given similar access conditions. These flaws were responsibly disclosed to Citrix in July 2024 by watchTowr Labs and patched in November.
The third flaw, CVE-2025-48384, affects Git and has a higher CVSS score of 8.1 due to its potential for arbitrary code execution. The vulnerability arises from how Git handles carriage return characters in configuration files. A proof-of-concept by Datadog revealed that this flaw can be exploited during repository cloning, allowing malicious code execution by manipulating submodule paths and symlinks.
CISA did not reveal attribution or technical details about current exploitation campaigns. However, federal agencies have been ordered to patch the vulnerabilities by September 15, 2025, to protect against active threats.
Healthcare and medical IT professionals should treat this alert with urgency. Citrix environments are commonly used in healthcare for session recording and remote access, making these flaws especially dangerous in HIPAA-regulated environments. Similarly, Git is used in software development pipelines that may include healthcare applications or infrastructure components.
Immediate recommendations include:
- Patching all affected Citrix Session Recording servers and Git clients without delay.
- Validating Active Directory and intranet segmentation to limit lateral movement.
- Conducting threat hunting for unusual Git submodule or session recording activity.
- Monitoring for signs of privilege escalation or unauthorized code execution.
Failing to act promptly could leave healthcare systems vulnerable to data breaches, regulatory violations, or operational disruption.
