CVE-2024-8068

What is Citrix Session Recording?

Citrix Session Recording is a component of Citrix Virtual Apps and Desktops (formerly XenApp/XenDesktop) that records and plays back user sessions on virtual desktops and published applications. It is deployed by enterprises for compliance, auditing, and insider threat monitoring. The Session Recording server is a Windows-based service that receives, stores, and manages recording data from virtual desktop infrastructure (VDI). Because it operates within the same Windows Active Directory domain as Citrix infrastructure, a compromised Session Recording server can be leveraged to access other components of the VDI environment.

Overview

CVE-2024-8068 is an improper privilege management vulnerability in Citrix Session Recording that allows an authenticated attacker in the same Windows Active Directory domain as the Session Recording server to escalate privileges to the NetworkService account. The NetworkService account has broad access to network resources and can be used as a pivot to access other services within the domain. This vulnerability is paired with CVE-2024-8069 (deserialization RCE in the same component), which provides remote code execution at the NetworkService privilege level. CISA added both to the KEV catalog on August 25, 2025 — nine months after the November 2024 patch release.

Affected Versions

Check the Citrix security bulletin for specific version information.

Technical Details

CWE-269 (Improper Privilege Management). The Citrix Session Recording server component improperly manages the privileges associated with certain operations or service calls. An authenticated user in the same Active Directory domain can interact with the Session Recording service in a way that results in code or operations running under the NetworkService account — a higher-privilege identity than the user's own account. The adjacent network attack vector (AV:A) indicates the exploitation requires network proximity to the Session Recording server within the same domain, rather than arbitrary internet access.

The NetworkService account on a Windows system has broad access to network resources and can authenticate to other domain-joined services using machine credentials, making it a useful pivot point for lateral movement within a Windows domain.

Discovery

Reported to Citrix, which published its security bulletin and patches in November 2024. The nine-month gap to CISA KEV addition (August 2025) suggests exploitation was discovered through threat intelligence after an extended period of unpatched deployments.

Exploitation Context

Active exploitation was confirmed by the August 2025 CISA KEV addition. CVE-2024-8068 and CVE-2024-8069 are typically chained: CVE-2024-8068 escalates privilege, while CVE-2024-8069 (deserialization) provides the code execution primitive. Together they enable an attacker with domain credentials to achieve remote code execution as the NetworkService account on the Session Recording server, which can then be used for further lateral movement in the VDI environment.

Remediation

1. Apply the Citrix security bulletin patch for Session Recording immediately.
2. If unable to patch immediately, restrict Session Recording server network access to only authorized Citrix VDI infrastructure components.
3. After patching, review Session Recording server event logs for unauthorized access or unexpected service activity.
4. See also CVE-2024-8069 (deserialization RCE) — both vulnerabilities should be patched together as they are frequently chained.
5. Audit Active Directory permissions for the Session Recording service account and apply the principle of least privilege.