CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multiple vulnerabilities in Citrix, Git, and GitLab added to CISA KEV catalog

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw (CVE-2025-48384) was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Additionally, CISA has added a five-year-old GitLab vulnerability (CVE-2021-39935) to its KEV catalog, which is actively being exploited in attacks. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities, and by February 24, 2026, for the GitLab vulnerability. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2021-39935 is a server-side request forgery (SSRF) flaw in GitLab that allows unauthenticated attackers to access the CI Lint API. The vulnerability affects GitLab CE/EE versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2. GitLab patched the flaw in December 2021. CISA added the flaw to its KEV catalog on February 4, 2026, mandating federal agencies to patch it by February 24, 2026. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

Timeline

  1. 04.02.2026 17:42 1 articles · 7h ago

    CISA adds GitLab SSRF flaw to KEV catalog, mandating immediate remediation

    CVE-2021-39935 is a server-side request forgery (SSRF) flaw in GitLab that allows unauthenticated attackers to access the CI Lint API. The vulnerability affects GitLab CE/EE versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2. GitLab patched the flaw in December 2021. CISA added the flaw to its KEV catalog on February 4, 2026, mandating federal agencies to patch it by February 24, 2026.

    Show sources
    Open in new tab
  2. 26.08.2025 20:29 2 articles · 5mo ago

    CISA adds CVE-2025-7775 to KEV catalog, mandating immediate remediation

    CVE-2025-7775 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can be exploited remotely without credentials or user interaction. The vulnerability affects specific builds of NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

    Show sources
    Open in new tab
  3. 26.08.2025 08:55 5 articles · 5mo ago

    CISA adds three exploited vulnerabilities in Citrix and Git to KEV catalog

    The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities. Additionally, CISA has added a five-year-old GitLab vulnerability (CVE-2021-39935) to its KEV catalog, which is actively being exploited in attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with four new vulnerabilities that are being actively exploited in the wild. The vulnerabilities affect Synacor Zimbra Collaboration Suite, Versa Concerto SD-WAN, Vite Vitejs, and eslint-config-prettier. Federal agencies are required to apply patches by February 12, 2026. The vulnerabilities include a PHP remote file inclusion flaw, an authentication bypass, an improper access control issue, and a supply chain attack involving malicious code execution. Exploitation of one of the vulnerabilities, CVE-2025-68645, has been ongoing since January 14, 2026. CVE-2025-31125 affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. CVE-2025-34026 is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs. Affected products for CVE-2025-34026 are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted. Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025. Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) for CVE-2025-54313 would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens. CVE-2025-68645 is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1 caused by improper handling of user-supplied parameters in the RestFilter servlet.

Open in new tab

Critical Authentication Bypass in GNU InetUtils telnetd

A critical authentication bypass vulnerability (CVE-2026-24061) in GNU InetUtils telnetd, affecting versions 1.9.3 to 2.7, allows remote attackers to gain root access by exploiting the USER environment variable. The flaw, introduced in 2015, enables bypassing normal authentication if the client supplies a crafted USER value. Mitigations include patching and restricting network access to the telnet port. Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints globally, with over 380,000 in Asia, almost 170,000 in South America, and just over 100,000 in Europe. GreyNoise observed 18 unique IP addresses exploiting this flaw over the past 24 hours, with attacks targeting the 'root' user in 83.3% of cases. The attacks involved automated reconnaissance and attempts to persist SSH keys and deploy Python malware, which failed on the observed systems due to missing binaries or directories.

Open in new tab

Cisco Unified Communications RCE Zero-Day Exploited in Attacks

Cisco has patched a critical remote code execution vulnerability (CVE-2026-20045) in its Unified Communications and Webex Calling products, which has been actively exploited in attacks. The flaw, with a CVSS score of 8.2, allows attackers to gain user-level access and escalate privileges to root on affected systems. Cisco has released patches for various versions of the impacted products and urged customers to update immediately. The U.S. CISA has added the vulnerability to its KEV Catalog, requiring federal agencies to patch by February 11, 2026.

Open in new tab

MITRE and CISA release 2025's top 25 most dangerous software weaknesses

MITRE, in collaboration with HSSEDI and CISA, has published the 2025 list of the top 25 most dangerous software weaknesses. The list is based on an analysis of 39,080 CVE records reported between June 2024 and June 2025. Cross-Site Scripting (CWE-79) remains the most critical weakness, while several new entries, including Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow, Heap-based Buffer Overflow, and Improper Access Control (CWE-284), have been added to the list. SQL injection and Cross-site request forgery have moved up in the rankings, while several other weaknesses have dropped. The list highlights weaknesses that are frequently exploited by threat actors to compromise systems, steal data, or disrupt services. CISA and MITRE encourage organizations to review the list and integrate it into their software security strategies.

Open in new tab