The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its KEV catalog that are being actively exploited, including in Citrix and Git products.
According to CISA, the list includes two Citrix Session Recording vulnerabilities (CVE–2024–8068 and CVE–2024–8069), which allow elevation of privilege and remote code execution in Windows Active Directory domains. Both vulnerabilities have a CVSS score of 5.1 and were patched in November 2024 after being reported by researchers at watchTowr Labs.
The third vulnerability is CVE-2025-48384 in Git, which has a CVSS score of 8.1. It occurs due to improper handling of carriage return (CR) characters in configuration files, which could lead to arbitrary code execution when cloning repositories. This vulnerability was patched in July 2025, but after the public disclosure, a proof-of-concept exploit appeared, which increased the risks of its use by attackers.
Arctic Wolf specialists explained that the attack is possible if the submodule path contains the CR symbol and a symbolic link with a hook file is used. This allows the submodule to be initialized in an unexpected directory and malicious code to be executed.
The CISA KEV catalog is an official list of vulnerabilities that have been confirmed to be actively used in attacks. All US federal agencies are required to promptly fix such problems to minimize the risks of penetration into their networks. In this case, FCEB agencies are ordered to close the found vulnerabilities by September 15, 2025.
Citrix and Git are widely used in corporate and government environments, so the exploitation of these bugs can lead to large-scale leaks or compromise of systems.
The CISA update is a reminder that even moderate vulnerabilities can pose a serious threat if a working exploit exists. Organizations should urgently update Citrix Session Recording and Git to avoid potential attacks.
