Two Citrix bugs, Git repo flaw added to exploited vulnerabilities list

August 26, 2025

Citrix sign on its office building in Fort Lauderdale, Florida, USA, an American cloud computing and virtualization technology company.

(Adobe Stock)

The Cybersecurity and Infrastructure Security Agency (CISA) added three non-critical bugs to its Known Exploited Vulnerabilities (KEV) catalog on Aug. 25, pointing out that the flaws were actively exploited.

Two of the bugs were previously patched 5.1 Citrix flaws, one a privilege escalation flaw, CVE-2024-8068, the other, CVE-2024-8069, a remote code execution bug.

The third previously patched flaw, CVE-2025-48384, was a high-severity 8.1 vulnerability that lets threat actors create malicious Git repositories that unexpectedly run code when being cloned.

CISA said federal agencies have until Sept. 15 to apply the patches.

“These made the KEV list because KEV tracks what’s being exploited, not what looks scary on a static score,” said Jason Soroko, senior fellow at Sectigo. “The Citrix issues land at 5.1 because they assume an authenticated user on the same domain or intranet, conditions that are common once an attacker gains a foothold in an enterprise.”

Soroko said in the case of the Citrix bugs, escalation to a NetworkService context and limited remote code execution are valuable stepping stones that allow for lateral movement and persistence. The Git bug stems from inconsistent handling of carriage return characters in configuration files that can yield code execution, so it drew more attention, said Soroko, yet all three align with everyday attacker playbooks.

“KEV status is the signal that these paths are being used in the wild,” said Soroko.

Jake Ouellette, lead incident detection engineer at Blumira, added that the Git vulnerability is especially attractive to attackers because of the potential widespread impact Git has in being ubiquitous in software development environments. He said attackers can easily exploit the vulnerability by creating malicious Git repositories that will execute code when they are cloned.

“It’s also a stealthy attack vector, as Git activities would be transparent to the victim, allowing stealthy persistence for the attacker,” said Ouellette.