Multiple vulnerabilities in Citrix and Git added to CISA KEV catalog
Summary
Hide ▲
Show ▼
CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.
Timeline
-
26.08.2025 20:29 2 articles · 1mo ago
CISA adds CVE-2025-7775 to KEV catalog, mandating immediate remediation
CVE-2025-7775 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can be exploited remotely without credentials or user interaction. The vulnerability affects specific builds of NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.
Show sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
26.08.2025 08:55 4 articles · 1mo ago
CISA adds three exploited vulnerabilities in Citrix and Git to KEV catalog
The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.
Show sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
Information Snippets
-
CVE-2024-8068 is an improper privilege management vulnerability in Citrix Session Recording that allows privilege escalation to NetworkService Account access.
First reported: 26.08.2025 08:551 source, 1 articleShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
-
CVE-2024-8069 is a deserialization of untrusted data vulnerability in Citrix Session Recording that allows limited remote code execution with NetworkService Account privileges.
First reported: 26.08.2025 08:551 source, 1 articleShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
-
CVE-2025-48384 is a link following vulnerability in Git that results in arbitrary code execution due to inconsistent handling of carriage return characters in configuration files.
First reported: 26.08.2025 08:552 sources, 2 articlesShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
-
The Citrix vulnerabilities were patched in November 2024 after responsible disclosure by watchTowr Labs on July 14, 2024.
First reported: 26.08.2025 08:552 sources, 2 articlesShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
The Git vulnerability was addressed in July 2025, with a proof-of-concept exploit released by Datadog.
First reported: 26.08.2025 08:553 sources, 3 articlesShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
The Git vulnerability allows for arbitrary code execution when a submodule path contains a trailing carriage return, combined with a symlink pointing to the submodule hooks directory and an executable post-checkout hook.
First reported: 26.08.2025 08:553 sources, 3 articlesShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
Federal Civilian Executive Branch agencies must apply mitigations by September 15, 2025, to secure their networks against these active threats.
First reported: 26.08.2025 08:553 sources, 3 articlesShow sources
- CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git — thehackernews.com — 26.08.2025 08:55
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files.
First reported: 26.08.2025 11:081 source, 1 articleShow sources
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
-
The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage.
First reported: 26.08.2025 11:081 source, 1 articleShow sources
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
-
The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
First reported: 26.08.2025 11:081 source, 1 articleShow sources
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
-
The vulnerability impacts software developers using Git on workstations and CI/CD build systems.
First reported: 26.08.2025 11:081 source, 1 articleShow sources
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
-
CISA added CVE-2025-48384 to its KEV catalog on August 26, 2025, mandating federal agencies to patch it by September 15, 2025.
First reported: 26.08.2025 11:081 source, 1 articleShow sources
- Organizations Warned of Exploited Git Vulnerability — www.securityweek.com — 26.08.2025 11:08
-
CVE-2025-7775 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that leads to remote code execution and/or denial-of-service.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-7776 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that leads to unpredictable or erroneous behavior and denial-of-service.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-7775 has been actively exploited in the wild.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-7775 was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
The vulnerabilities were patched in NetScaler ADC and NetScaler Gateway versions 14.1-47.48, 13.1-59.22, 13.1-FIPS 13.1-37.241, and 12.1-FIPS 12.1-55.330 and later releases.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partner, and François Hämmeli discovered and reported the vulnerabilities.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-7775 is the latest in a series of NetScaler ADC and Gateway vulnerabilities exploited in real-world attacks, following CVE-2025-5777 and CVE-2025-6543.
First reported: 26.08.2025 20:292 sources, 2 articlesShow sources
- Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775 — thehackernews.com — 26.08.2025 20:29
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-7775 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can be exploited remotely without credentials or user interaction.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
The vulnerability affects specific builds of NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-7776 is a memory overflow vulnerability that can cause unpredictable behavior or denial-of-service conditions.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
CVE-2025-8424 is an improper access control vulnerability that can allow unauthorized access to sensitive data and functions.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
-
The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.
First reported: 26.08.2025 23:041 source, 1 articleShow sources
- Citrix Gear Under Active Attack Again With Another Zero-Day — www.darkreading.com — 26.08.2025 23:04
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering
Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.
Command injection flaw in Libraesva ESG exploited by state actors
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.