cbcvebase.
CVE-2024-8069
published 2024-11-12

CVE-2024-8069: Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the…

PriorityP182high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-15
Exploited in the wild
EPSS
14.74%
96.3th percentile
Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server

Affected

13 ranges
VendorProductVersion rangeFixed in
citrixcitrix_session_recording
citrixcitrix_virtual_apps_and_desktops
citrixsession_recording< 24072407
citrixsession_recording
citrixsession_recording
citrixsession_recording
citrixsession_recording
citrixsession_recording
citrixxenserver
citrix_session_recordingcitrix_session_recording>= 1912 LTSR < CU9 hotfix 19.12.9100.6CU9 hotfix 19.12.9100.6
citrix_session_recordingcitrix_session_recording>= 2203 LTSR < CU5 hotfix 22.03.5100.11CU5 hotfix 22.03.5100.11
citrix_session_recordingcitrix_session_recording>= 2402 LTSR < CU1 hotfix 24.02.1200.16CU1 hotfix 24.02.1200.16
citrix_session_recordingcitrix_session_recording>= 2407 Current Release < 24.5.200.824.5.200.8

Detection & IOCsextracted from sources · hover to see the quote

url/msmq/private$/citrixsmaudeventdata
path/msmq/Private$/CitrixSmAudEventData
othersoapaction: "msmqmessage"
otherSystem.DelegateSerializationHolder
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Session Recording Remote Code Execution (CVE-2024-8069)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/msmq/private$/citrixsmaudeventdata"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20 22|msmqmessage|22|"; http.request_body; content:"/msmq/Private$/CitrixSmAudEventData"; nocase; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"System|2e|DelegateSerializationHolder"; distance:0; reference:url,labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/; reference:cve,2024-8069; classtype:web-application-attack; sid:2057435; rev:1; metadata:affected_product Citrix, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_8069, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic uses HTTP POST method targeting the MSMQ private queue endpoint for Citrix Session Recording audit event data.
  • Exploit requests carry a SOAPAction header value of 'msmqmessage', which is a strong and specific indicator of exploitation attempts.
  • Exploit request body contains 'System.DelegateSerializationHolder', a .NET deserialization gadget chain marker indicating malicious deserialization payload.
  • Exploit request body uses Content-Type of application/octet-stream, consistent with a raw serialized binary payload being submitted to the MSMQ endpoint.
  • The vulnerability is exploitable only by an authenticated user on the same intranet as the Session Recording server; monitor for lateral movement from internal hosts to the Session Recording server on this endpoint.
  • Successful exploitation results in code execution under the NetworkService account; monitor for anomalous processes spawned by NetworkService on Citrix Session Recording servers.
  • Research reference for exploit details is available at the Watchtowr labs blog, which was credited for discovering the vulnerability.
  • ·The Snort/Suricata rule includes 'tls_state TLSDecrypt' metadata, meaning the rule will only fire on decrypted TLS traffic. Ensure SSL/TLS inspection (SSLDecrypt) is enabled on perimeter and internal sensors for this rule to be effective.
  • ·The vulnerability affects multiple Citrix Session Recording LTSR and CR versions; patching must be applied per-branch. Unpatched versions include: 2407 before hotfix 24.5.200.8, 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, and 2402 LTSR before CU1 hotfix 24.02.1200.16.

CVSS provenance

nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck5.1MEDIUM
cisa5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.