CISA Flags Actively Exploited Citrix and Git Flaws as Exploitation Accelerates

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three newly exploited bugs in Citrix and Git to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies patch them by mid-September. The move underscores how attackers are increasingly leveraging even mid-range vulnerabilities once reliable proof-of-concept exploits emerge.

A Trio of Targets

Two of the flaws—CVE-2024-8068 and CVE-2024-8069—impact Citrix Session Recording, a tool often deployed in tightly controlled enterprise environments. Both were responsibly disclosed by watchTowr Labs last summer and patched by Citrix in November 2024. The issues enable privilege escalation and limited code execution, but only when an attacker already has authenticated access inside the same network domain.

The third, CVE-2025-48384, is the standout: a Git configuration parsing bug that scored 8.1 on the CVSS scale. Researchers at Datadog released a working exploit in July, demonstrating how a subtle misinterpretation of carriage return characters in configuration files could let an attacker trick Git into executing arbitrary code when cloning a repository. Arctic Wolf warned that the flaw becomes especially dangerous when chained with symlinks and malicious post-checkout hooks: “cloning a repository can result in unintended code execution.”

Why Medium Scores Still Matter

While the Citrix bugs were rated “moderate,” their inclusion in the KEV list signals they’re being actively exploited in the wild. For federal agencies, that means patching isn’t optional—CISA has set September 15, 2025, as the compliance deadline.

“The addition of Citrix and Git flaws to CISA’s KEV list underscores how even moderate-severity vulnerabilities can become high-priority when reliable exploits are in circulation,” said Gunter Ollmann, CTO of Cobalt. He noted that attackers are increasingly using automated assistants to chain what look like minor bugs into full-scale compromises: “Privilege escalation through chaining of vulnerabilities is becoming easier as copilot technologies help attackers and pentesters alike logically link lesser flaws into full exploitation paths.”

Ollmann warned that even flaws requiring insider access can’t be dismissed. “While the Citrix issues require insider access, history shows adversaries are quick to pivot once they have a foothold,” he said. His recommendation: treat CISA’s KEV not just as compliance overhead but as an active feed of adversary playbooks.

Bigger Picture

The latest additions illustrate the widening gap between patch availability and exploit weaponization. In both Citrix and Git’s case, fixes were released weeks or months before exploits went public—yet exploitation still followed. The KEV catalog, once seen as a bureaucratic checklist, has become a map of what attackers are actually targeting in real time.

For defenders, the message is clear: don’t assume “medium” means safe. The real risk is measured by how quickly attackers weaponize code, not just the CVSS score.