cbcvebase.
CVE-2024-8068
published 2024-11-12

CVE-2024-8068: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active…

PriorityP180high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-15
Exploited in the wild
EPSS
1.40%
69.1th percentile
Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain

Affected

13 ranges
VendorProductVersion rangeFixed in
citrixcitrix_session_recording
citrixcitrix_session_recording>= 1912 LTSR < CU9 hotfix 19.12.9100.6CU9 hotfix 19.12.9100.6
citrixcitrix_session_recording>= 2203 LTSR < CU5 hotfix 22.03.5100.11CU5 hotfix 22.03.5100.11
citrixcitrix_session_recording>= 2402 LTSR < CU1 hotfix 24.02.1200.16CU1 hotfix 24.02.1200.16
citrixcitrix_session_recording>= 2407 Current Release < 24.5.200.824.5.200.8
citrixcitrix_virtual_apps_and_desktops
citrixsession_recording< 24072407
citrixsession_recording
citrixsession_recording
citrixsession_recording
citrixsession_recording
citrixsession_recording
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

  • Target privilege escalation path: authenticated AD domain user escalating to NetworkService Account on the Citrix Session Recording server — monitor for unexpected NetworkService token creation or impersonation by non-SYSTEM/non-service processes on Session Recording hosts.
  • CVE-2024-8069 (companion vulnerability) achieves limited RCE via deserialization of untrusted data with NetworkService privileges — monitor for suspicious deserialization activity or unexpected child processes spawned under the NetworkService account on Citrix Session Recording servers.
  • Scope affected Citrix Session Recording versions for patching/detection: Current Release before 2407 hotfix 24.5.200.8, 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, 2402 LTSR before CU1 hotfix 24.02.1200.16 — inventory and flag unpatched instances.
  • CISA KEV confirmed active exploitation — treat any authenticated domain user interacting with the Citrix Session Recording service as a potential threat actor; audit AD accounts with access to the Session Recording server.
  • ·Exploitation requires the attacker to already be an authenticated user in the same Windows Active Directory domain as the Session Recording server — this is not an unauthenticated/internet-facing attack vector.
  • ·CVSS score is Medium (5.1), but CISA has confirmed active exploitation and added it to KEV — do not deprioritize based on score alone.
  • ·CVE-2024-8068 (privilege escalation) and CVE-2024-8069 (RCE via deserialization) are companion vulnerabilities patched together — both must be remediated; patching one without the other leaves residual risk.

CVSS provenance

nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck5.1MEDIUM
cisa5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.