Cyber Resilience

CVE-2024-8069

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 12 November 2024

Published
12 November 2024
Modified
24 October 2025
KEV Added
25 August 2025
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.4829 97.8th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8069 is a medium-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Citrix Session Recording. Its CVSS base score is 5.1 (Medium).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-8069 is a deserialization vulnerability that permits limited remote code execution under NetworkService account privileges within Citrix Session Recording. The affected component is the session recording server when accessed over the network by an authenticated user.

An attacker who is already an authenticated user on the same intranet as the session recording server can exploit the flaw to run arbitrary code with the limited privileges of the NetworkService account, resulting in partial impacts to confidentiality, integrity, and availability on the affected host.

Citrix has published security bulletin CTX691941 addressing both CVE-2024-8068 and CVE-2024-8069, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog. The associated EPSS score rose from lower values to a peak of 0.6675 before receding to its current level of 0.4829, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server

CWE(s)
KEV Date Added
25 August 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citrix
session recording
1912, 2203, 2402, 2407 · ≤ 2407

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the deserialization flaw (CWE-502) by requiring validation of untrusted input before object reconstruction in the Session Recording service.

prevent

Enforces boundary protection and network segmentation to block adjacent-network access from intranet hosts to the Session Recording server.

prevent

Limits the Citrix service to NetworkService privileges, thereby containing the scope of code execution even if deserialization succeeds.

References