CVE-2024-8068 and CVE-2024-8069: Citrix Session Recording Vulnerability – What You Need to Know

Author: Nethanel Gelernter, Co-Founder and CTO | Date: November 13, 2024

Summary of the Vulnerabilities

  • CVE-2024-8068 and CVE-2024-8069 affect Citrix Session Recording Manager.
  • Potential for unauthenticated remote code execution (RCE) under specific conditions.
  • According to Citrix, exploitation requires the attacker to be an authenticated user in the same Windows Active Directory domain and intranet as the session recording server.
  • Patched in recent versions (see below for affected versions).

Technical Details & Affected Versions

Citrix Session Recording Manager records user activity for compliance and troubleshooting. The vulnerabilities allow privilege escalation to NetworkService Account and limited RCE if exploited by an authenticated user on the same network.

Affected Versions

  • Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8 (Current Release)
  • 1912 LTSR before CU9 hotfix 19.12.9100.6
  • 2203 LTSR before CU5 hotfix 22.03.5100.11
  • 2402 LTSR before CU1 hotfix 24.02.1200.16

For more details, see the Citrix advisory.

IONIX Research Findings

  • IONIX developed an exploit simulation module based on available public exploits.
  • After scanning thousands of Citrix instances across customer attack surfaces, IONIX found that most cannot be attacked remotely (without authentication) using current exploits.
  • IONIX customers receive real-time updates in the Threat Center within the IONIX portal.

What Should You Do?

  1. Check your Citrix Session Recording version and apply the latest hotfixes as recommended by Citrix.
  2. Monitor for suspicious activity from authenticated users within your network.
  3. IONIX customers: Review the Threat Center for up-to-date intelligence and remediation guidance.

Citrix reports that exploitation is only possible under specific circumstances, and no in-the-wild exploitation has been observed by IONIX as of this writing.

How IONIX Solves These Challenges

  • Complete Attack Surface Visibility: IONIX discovers all internet-facing Citrix instances and related assets, including shadow IT and unmanaged projects, so you can identify exposure quickly.
  • Risk Assessment & Prioritization: The platform validates which Citrix assets are at risk and prioritizes remediation based on severity and context, cutting through alert noise.
  • Streamlined Remediation: IONIX provides actionable steps and integrates with ticketing and SIEM/SOAR tools (e.g., Jira, ServiceNow, Splunk) for rapid response.
  • Continuous Monitoring: Ongoing scans ensure that new vulnerabilities or misconfigurations are detected as your environment evolves.

Learn how E.ON and Warner Music Group used IONIX to proactively discover and remediate vulnerabilities in dynamic IT environments.

Why Choose IONIX for Vulnerability Management?

  • Better Discovery: ML-based Connective Intelligence finds more assets with fewer false positives than competitors.
  • Focused Threat Exposure: Threat Exposure Radar helps prioritize the most urgent Citrix and other security issues.
  • Comprehensive Digital Supply Chain Coverage: Automatically maps attack surfaces and dependencies, including Citrix and related technologies.
  • Security & Compliance: SOC2 compliant, supports NIS-2 and DORA compliance.
  • Ease of Use: Customers rate IONIX as user-friendly, with dedicated account managers and rapid onboarding.

Frequently Asked Questions (FAQ)

How does IONIX help detect Citrix vulnerabilities?
IONIX continuously scans your external attack surface, including Citrix instances, and alerts you to vulnerabilities like CVE-2024-8068/8069. It validates exploitability and prioritizes remediation.
Can IONIX integrate with my existing security tools?
Yes. IONIX integrates with Jira, ServiceNow, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, AWS services, and more. See all integrations.
What support is available if I find a vulnerable Citrix instance?
IONIX provides technical support, a dedicated account manager, and regular review meetings to help you remediate vulnerabilities quickly.
How quickly can I get started with IONIX?
Deployment takes about a week and requires minimal resources. Onboarding resources and technical support are available throughout the process.
What makes IONIX different from other attack surface management solutions?
IONIX offers superior asset discovery, fewer false positives, prioritized threat exposure, and comprehensive supply chain mapping. Customers like E.ON and Warner Music Group have seen measurable improvements in risk management.

References

See IONIX in Action

Watch a short demo to see how IONIX helps you find and fix vulnerabilities like CVE-2024-8068/8069 fast.

Watch IONIX Demo

Industries Represented in IONIX Case Studies

Go back to All Blog posts

CVE-2024-8068 and CVE-2024-8069: Citrix Session Recording Vulnerability

Nethanel Gelernter
Nethanel Gelernter Co-Founder and CTO LinkedIn
November 13, 2024
Ionix Security Alert: Zero-Day Vulnerability Update addressing Citrix Session Recording vulnerabilities CVE-2024-8068 and CVE-2024-8069.

IONIX Tracks CVE-2024-8068 and CVE-2024-8069: Citrix Session Recording Vulnerability (claimed to be RCE): This post is based on ongoing security research – and will continue to be updated as we get additional information…

Two Citrix vulnerabilities (CVE-2024-8068 and CVE-2024-8069) can potentially lead to unauthenticated remote code execution.

Note: according to the vendor, privilege escalation to NetworkService Account access in Citrix Session Recording and limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording is possible when an attacker is an authenticated user in the same intranet.

This means that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. They have addressed the defects in a number of versions (see below).

The IONIX research team created an exploit simulation module based on available exploits to the issue.
Based on scanning of thousands of Citrix instances in the attack surface of IONIX customers, IONIX research team believes that most of the Citrix instances cannot be attacked remotely (without authentication) with the currently available exploits.

What is Citrix Recording Manager?

According to this report Citrix’s Session Recording Manager records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.

“Citrix advertises the feature as being really useful for monitoring, compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities,” the watchTowr researchers noted in the report.

The following supported versions of Citrix Session Recording are affected by the vulnerability:

  • Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8 Current Release (CR)

Long Term Service Release (LTSR)

  • Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6
  • Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11
  • Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16

What should I do about CVE-2024-8068 and CVE-2024-8069?

IONIX customers will see updated information in the threat center of the IONIX portal. Citrix claims CVE-2024-8068 and CVE-2024-8069 can be exploited only under very specific circumstances, and we have not yet found exploited Citrix instances in the wild.

References

Citrix (vendor) advisory, https://support.citrix.com/s/article/CTX691941-citrix-session-recording-security-bulletin-for-cve20248068-and-cve20248069?language=en_US
Citrix Recording Manager Zero-Day Allows Unauthenticated RCE, https://www.darkreading.com/cloud-security/citrix-recording-manager-zero-day-bug-unauthenticated-rce
New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration, https://thehackernews.com/2024/11/new-flaws-in-citrix-virtual-apps-enable.html

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Marc Gaffan
August 11, 2025
Why Gartner Declared EASM Obsolete Before it Became Mainstream 
Learn more
Tal Zamir
August 7, 2025
CVE‑2025‑54253 & CVE‑2025‑54254 in Adobe Experience Manager Forms – What You Must Know
Learn more
Tal Zamir
August 5, 2025
Remote DNS Manipulation at Scale: How IONIX Uncovered 20,000 Malicious Subdomains from a Single Abused NS Record 
Learn more