# U.S. CISA Adds Citrix Session Recording and Git Flaws to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: Citrix Session Recording (CVE-2024-8069) and Git (CVE-2025-48384). These additions come as part of CISA's efforts to provide timely warnings to federal agencies and private organizations about known exploits that can compromise the security of their networks.
### Citrix Session Recording Vulnerability
The first vulnerability, CVE-2024-8069, is a limited remote code execution with privilege escalation in Citrix Session Recording. This means that an attacker who is an authenticated user on the same intranet as the session recording server can exploit this flaw to gain unauthorized access to sensitive data.
In more detail, CVE-2024-8069 allows an attacker to execute arbitrary code by manipulating a specific file path. The vulnerability is caused by a mistake in Citrix Session Recording's handling of file paths, which can lead to a privilege escalation attack. This means that even if the user is not directly accessing the vulnerable server, they can still exploit the vulnerability by manipulating the file system.
### Git Vulnerability
The second vulnerability, CVE-2025-48384, is related to Git's handling of configuration values. The problem lies in how Git processes carriage return (CR) characters, which are used to indicate line breaks in text files. When Git writes a config entry, it does not properly preserve trailing CR values, leading to subtle alterations in paths that include them.
This may seem like a minor issue, but it can have serious consequences during submodule initialization. If the submodule path contains a trailing CR, Git interprets it incorrectly and checks out the submodule to the wrong location. An attacker could exploit this by creating a symlink from the altered path to the submodule's hooks directory. If the submodule also contains a malicious, executable post-checkout hook, the script would run automatically after checkout—without the user's awareness.
### Recommendations
According to CISA's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have until September 15, 2025, to fix these vulnerabilities. Private organizations are also advised to review the KEV catalog and address the vulnerabilities in their infrastructure.
Experts recommend that organizations take proactive measures to protect themselves against these exploits. This includes implementing security patches, conducting regular vulnerability assessments, and providing training to employees on how to identify and report suspicious activity.
### Stay Safe Online
As always, it's essential to stay informed about the latest cybersecurity threats and updates from trusted sources like CISA. Follow us on Twitter (@securityaffairs), Facebook, and Mastodon for the latest news and expert insights on online security.