CVE-2024-8068
published 2024-11-12CVE-2024-8068: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active…
PriorityP180high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-15
Exploited in the wild
EPSS
1.40%
69.1th percentile
Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_session_recording | — | — |
| citrix | citrix_session_recording | >= 1912 LTSR < CU9 hotfix 19.12.9100.6 | CU9 hotfix 19.12.9100.6 |
| citrix | citrix_session_recording | >= 2203 LTSR < CU5 hotfix 22.03.5100.11 | CU5 hotfix 22.03.5100.11 |
| citrix | citrix_session_recording | >= 2402 LTSR < CU1 hotfix 24.02.1200.16 | CU1 hotfix 24.02.1200.16 |
| citrix | citrix_session_recording | >= 2407 Current Release < 24.5.200.8 | 24.5.200.8 |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | session_recording | < 2407 | 2407 |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | xenserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target privilege escalation path: authenticated AD domain user escalating to NetworkService Account on the Citrix Session Recording server — monitor for unexpected NetworkService token creation or impersonation by non-SYSTEM/non-service processes on Session Recording hosts. ↗
- →CVE-2024-8069 (companion vulnerability) achieves limited RCE via deserialization of untrusted data with NetworkService privileges — monitor for suspicious deserialization activity or unexpected child processes spawned under the NetworkService account on Citrix Session Recording servers. ↗
- →Scope affected Citrix Session Recording versions for patching/detection: Current Release before 2407 hotfix 24.5.200.8, 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, 2402 LTSR before CU1 hotfix 24.02.1200.16 — inventory and flag unpatched instances. ↗
- →CISA KEV confirmed active exploitation — treat any authenticated domain user interacting with the Citrix Session Recording service as a potential threat actor; audit AD accounts with access to the Session Recording server. ↗
- ·Exploitation requires the attacker to already be an authenticated user in the same Windows Active Directory domain as the Session Recording server — this is not an unauthenticated/internet-facing attack vector. ↗
- ·CVSS score is Medium (5.1), but CISA has confirmed active exploitation and added it to KEV — do not deprioritize based on score alone. ↗
- ·CVE-2024-8068 (privilege escalation) and CVE-2024-8069 (RCE via deserialization) are companion vulnerabilities patched together — both must be remediated; patching one without the other leaves residual risk. ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck5.1MEDIUM
cisa5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix Session Recording Improper Privilege Management Vulnerability
cisa·2025-08-25·CVSS 5.1
CVE-2024-8068 [MEDIUM] CWE-269 Citrix Session Recording Improper Privilege Management Vulnerability
Vulnerability: Citrix Session Recording Improper Privilege Management Vulnerability
Affected: Citrix Session Recording
Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8068
Remediation Due Date: 2025-09-15
Citrix
Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
vendor_citrix·2024-11-14·CVSS 5.1
CVE-2024-8068 [MEDIUM] CWE-269 Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
of Problem A vulnerability has been discovered in Citrix Session Recording. Refer below for further details:
CVE References: CVE-2024-8068, CVE-2024-8069
Affected Products: Citrix Session Recording, Citrix Virtual Apps and Desktops, Session Recording, XenServer, session recording
Severity: Medium
CVSS Score: 5.1
Remediation:
Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon as their upgrade schedule permits: Current Release (CR) Citrix Session Recording 2407 hotfix 24.5.200.8 and later Long Term Service Release (LTSR) Citrix Session Recording 1912 LTSR CU9 hotfix 19.12.9100.6 and later Citrix Session
Citrix
CVE-2024-8068: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active
vendor_citrix·2024-11-12·CVSS 8.0
CVE-2024-8068 [HIGH] CWE-269 CVE-2024-8068: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active
CVE-2024-8068: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain
CISA KEV: Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
GHSA
GHSA-c43q-qj38-7p5j: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active
ghsa_unreviewed·2024-11-12
CVE-2024-8068 [MEDIUM] CWE-269 GHSA-c43q-qj38-7p5j: Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active
Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain
VulnCheck
Citrix Session Recording Improper Privilege Management Vulnerability
vulncheck·2024·CVSS 5.1
CVE-2024-8068 [MEDIUM] CWE-269 Citrix Session Recording Improper Privilege Management Vulnerability
Citrix Session Recording Improper Privilege Management Vulnerability
Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.
Affected: Citrix Session Recording
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://infosec.exchange/@shadowserver/113471909797234133; https://isc.sans.edu/diary/31446; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://hs-8813571.f.hu
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA warns of actively exploited Git code execution flaw
blogs_bleepingcomputer·2025-08-26·CVSS 5.1
[MEDIUM] CISA warns of actively exploited Git code execution flaw
## CISA warns of actively exploited Git code execution flaw
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system.
The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has set the patch deadline for federal agencies to September 15th.
Git version control system allows software development teams to track codebase changes over time. The library is the backbone of modern software collaboration, serving as the basis for platforms such as GitHub, GitLab, and Bitbucket.
The exploited vulnerability in Git has a high-severity score and is tracked as CVE-2025-48384 . It stems from Git's mishandling of carriage return
Wiz
Crying Out Cloud - December 2024 Newsletter | Wiz
blogs_wiz·2024-12-12·CVSS 9.3
CVE-2024-0012 [CRITICAL] Crying Out Cloud - December 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities.
Here are our top picks!
🔍 Highlights
RCE Vulnerability in PAN-OS
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability chain (CVE-2024-0012, CVE-2024-9474) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authentication, obtain administrator privileges, and perform administrative actions. Exploitation has been observed since November 17, 2024.
Learn more in our blog .
🐞 High Profile Vulnerabilities
Critical Vulnerability in Spring WebFlux
A critical vulnerability, CVE-2024-38821, was identifie
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
2024-11-12
Published
2025-08-25
Added to CISA KEV
Exploited in the wild