CVE-2024-8069
published 2024-11-12CVE-2024-8069: Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the…
PriorityP182high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-15
Exploited in the wild
EPSS
14.74%
96.3th percentile
Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_session_recording | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | session_recording | < 2407 | 2407 |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | session_recording | — | — |
| citrix | xenserver | — | — |
| citrix_session_recording | citrix_session_recording | >= 1912 LTSR < CU9 hotfix 19.12.9100.6 | CU9 hotfix 19.12.9100.6 |
| citrix_session_recording | citrix_session_recording | >= 2203 LTSR < CU5 hotfix 22.03.5100.11 | CU5 hotfix 22.03.5100.11 |
| citrix_session_recording | citrix_session_recording | >= 2402 LTSR < CU1 hotfix 24.02.1200.16 | CU1 hotfix 24.02.1200.16 |
| citrix_session_recording | citrix_session_recording | >= 2407 Current Release < 24.5.200.8 | 24.5.200.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/msmq/private$/citrixsmaudeventdata
path/msmq/Private$/CitrixSmAudEventData
othersoapaction: "msmqmessage"
otherSystem.DelegateSerializationHolder
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Session Recording Remote Code Execution (CVE-2024-8069)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/msmq/private$/citrixsmaudeventdata"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20 22|msmqmessage|22|"; http.request_body; content:"/msmq/Private$/CitrixSmAudEventData"; nocase; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"System|2e|DelegateSerializationHolder"; distance:0; reference:url,labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/; reference:cve,2024-8069; classtype:web-application-attack; sid:2057435; rev:1; metadata:affected_product Citrix, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_8069, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic uses HTTP POST method targeting the MSMQ private queue endpoint for Citrix Session Recording audit event data.
- →Exploit requests carry a SOAPAction header value of 'msmqmessage', which is a strong and specific indicator of exploitation attempts.
- →Exploit request body contains 'System.DelegateSerializationHolder', a .NET deserialization gadget chain marker indicating malicious deserialization payload.
- →Exploit request body uses Content-Type of application/octet-stream, consistent with a raw serialized binary payload being submitted to the MSMQ endpoint.
- →The vulnerability is exploitable only by an authenticated user on the same intranet as the Session Recording server; monitor for lateral movement from internal hosts to the Session Recording server on this endpoint. ↗
- →Successful exploitation results in code execution under the NetworkService account; monitor for anomalous processes spawned by NetworkService on Citrix Session Recording servers. ↗
- →Research reference for exploit details is available at the Watchtowr labs blog, which was credited for discovering the vulnerability.
- ·The Snort/Suricata rule includes 'tls_state TLSDecrypt' metadata, meaning the rule will only fire on decrypted TLS traffic. Ensure SSL/TLS inspection (SSLDecrypt) is enabled on perimeter and internal sensors for this rule to be effective.
- ·The vulnerability affects multiple Citrix Session Recording LTSR and CR versions; patching must be applied per-branch. Unpatched versions include: 2407 before hotfix 24.5.200.8, 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, and 2402 LTSR before CU1 hotfix 24.02.1200.16. ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck5.1MEDIUM
cisa5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix Session Recording Deserialization of Untrusted Data Vulnerability
cisa·2025-08-25·CVSS 5.1
CVE-2024-8069 [MEDIUM] CWE-502 Citrix Session Recording Deserialization of Untrusted Data Vulnerability
Vulnerability: Citrix Session Recording Deserialization of Untrusted Data Vulnerability
Affected: Citrix Session Recording
Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8069
Remediation Due Date: 2025-09-15
Citrix
Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
vendor_citrix·2024-11-14·CVSS 5.1
CVE-2024-8068 [MEDIUM] CWE-269 Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
of Problem A vulnerability has been discovered in Citrix Session Recording. Refer below for further details:
CVE References: CVE-2024-8068, CVE-2024-8069
Affected Products: Citrix Session Recording, Citrix Virtual Apps and Desktops, Session Recording, XenServer, session recording
Severity: Medium
CVSS Score: 5.1
Remediation:
Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon as their upgrade schedule permits: Current Release (CR) Citrix Session Recording 2407 hotfix 24.5.200.8 and later Long Term Service Release (LTSR) Citrix Session Recording 1912 LTSR CU9 hotfix 19.12.9100.6 and later Citrix Session
GHSA
GHSA-ww66-45gm-65fm: Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user o
ghsa_unreviewed·2024-11-12
CVE-2024-8069 [MEDIUM] CWE-502 GHSA-ww66-45gm-65fm: Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user o
Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server
VulnCheck
Citrix Session Recording Deserialization of Untrusted Data Vulnerability
vulncheck·2024·CVSS 5.1
CVE-2024-8069 [MEDIUM] CWE-502 Citrix Session Recording Deserialization of Untrusted Data Vulnerability
Citrix Session Recording Deserialization of Untrusted Data Vulnerability
Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.
Affected: Citrix Session Recording
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://infosec.exchange/@shadowserver/113471909797234133; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-11-13&host_type=src&vulnerability=cve-2024-8069; https://dashboard.s
Suricata
ET WEB_SPECIFIC_APPS Citrix Session Recording Remote Code Execution (CVE-2024-8069)
suricata·2024-11-13·CVSS 5.1
CVE-2024-8069 [MEDIUM] ET WEB_SPECIFIC_APPS Citrix Session Recording Remote Code Execution (CVE-2024-8069)
ET WEB_SPECIFIC_APPS Citrix Session Recording Remote Code Execution (CVE-2024-8069)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Session Recording Remote Code Execution (CVE-2024-8069)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/msmq/private$/citrixsmaudeventdata"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20 22|msmqmessage|22|"; http.request_body; content:"/msmq/Private$/CitrixSmAudEventData"; nocase; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"System|2e|DelegateSerializationHolder"; distance:0; reference:url,labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/; reference:cve,2024-8069; classtype:web-a
No public exploits indexed.
Tenable
Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic
blogs_tenable·2026-04-14
Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA warns of actively exploited Git code execution flaw
blogs_bleepingcomputer·2025-08-26·CVSS 5.1
[MEDIUM] CISA warns of actively exploited Git code execution flaw
## CISA warns of actively exploited Git code execution flaw
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system.
The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has set the patch deadline for federal agencies to September 15th.
Git version control system allows software development teams to track codebase changes over time. The library is the backbone of modern software collaboration, serving as the basis for platforms such as GitHub, GitLab, and Bitbucket.
The exploited vulnerability in Git has a high-severity score and is tracked as CVE-2025-48384 . It stems from Git's mishandling of carriage return
Wiz
Crying Out Cloud - December 2024 Newsletter | Wiz
blogs_wiz·2024-12-12·CVSS 9.3
CVE-2024-0012 [CRITICAL] Crying Out Cloud - December 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities.
Here are our top picks!
🔍 Highlights
RCE Vulnerability in PAN-OS
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability chain (CVE-2024-0012, CVE-2024-9474) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authentication, obtain administrator privileges, and perform administrative actions. Exploitation has been observed since November 17, 2024.
Learn more in our blog .
🐞 High Profile Vulnerabilities
Critical Vulnerability in Spring WebFlux
A critical vulnerability, CVE-2024-38821, was identifie
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
## August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group ® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings f
2024-11-12
Published
2025-08-25
Added to CISA KEV
Exploited in the wild