CVE-2024-8068 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2024-11-12

Added to CISA KEV: 2025-08-25 286 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply vendor patches immediately: Update to fixed versions (24.5.200.8 for Current Release, appropriate hotfixes for LTSR versions)
Monitor for privilege escalation activities and unusual NetworkService account usage
Review Active Directory audit logs for suspicious authentication patterns
Implement network segmentation to limit lateral movement potential
HIGH patch priority due to CISA KEV listing and potential for lateral movement

CVE-2024-8068 is a security vulnerability affecting Citrix Session Recording that allows for local privilege escalation ^[1].

Below is a summary of the known details regarding this vulnerability:

Vulnerability Type: Privilege Escalation ^[1].
Requirements: An attacker must already be an authenticated user within the same Windows Active Directory domain as the session recording server ^[1].
Access Level: It is a local attack vector, meaning it is not directly exploitable from the internet without prior authenticated access to the network environment ^[1].

Successful Exploitation: An attacker can escalate their privileges to the `NetworkService` account level on the affected Citrix Session Recording server ^[1].
Severity: While officially classified by the vendor as medium severity, some security researchers have disputed this, suggesting that the potential for further exploitation (such as Remote Code Execution when combined with other vulnerabilities like CVE-2024-8069) warrants higher concern ^[2].

Active Exploitation: There is no widespread evidence of active exploitation in the wild or specific attribution to ransomware campaigns in the standard public vulnerability databases at this time.
Proof-of-Concept: Publicly available, weaponized exploit tools are not widely documented in standard security repositories, though the vulnerability is tracked by CISA in their Known Exploited Vulnerabilities (KEV) catalog, which typically indicates that the vulnerability has been observed in real-world attacks ^[1].

Affected Versions: The vulnerability affects various supported versions of Citrix Virtual Apps and Desktops (specifically the Session Recording component) ^[2].
Patch Status: Citrix released a security bulletin (CTX691941) in November 2024 providing hotfixes for the affected versions ^[3]. Organizations using Citrix Session Recording should apply the vendor-provided updates immediately to mitigate the risk ^[2].

CVE-2024-8068 Detail - NVD
Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active ... Official websites use .gov A .gov website belongs to an official government organization in the United States. ... CVE-2024-8068 Detail. Descript…
CVE-2024-8068 and CVE-2024-8069 - Citrix Session
The CVEs associated with the vulnerabilities are CVE-2024-8068 and CVE-2024-8069 which are currently classified as Medium severity by the vendor ; h owever, this medium rating is disputed by the original author due to the Unauthenticated R emote C ode E xecution capabilities of the exploit on affect…
CTX691941 - CITRIX | Support
CVE-2024-8068, Privilege escalation to NetworkService Account access. Attacker must be an authenticated user in the same Windows Active ...

🟢 CVE-2024-8068