CVE-2024-8069

What is Citrix Session Recording?

Citrix Session Recording is an enterprise auditing component of Citrix Virtual Apps and Desktops that records, stores, and replays user sessions from virtual desktop infrastructure. The Session Recording server receives session data over the network from VDI hosts, processes it, and stores it for compliance review. Because it is a Windows-based service operating within the corporate Active Directory domain and accepting network connections from VDI infrastructure, vulnerabilities in its .NET deserialization handling can be triggered by any attacker who can reach the server on the local network.

Overview

CVE-2024-8069 is a deserialization of untrusted data vulnerability in Citrix Session Recording that allows a limited-privilege, domain-authenticated attacker in the same intranet to achieve remote code execution as the NetworkService account. It is paired with CVE-2024-8068 (improper privilege management in the same component) and the two are typically chained: CVE-2024-8068 provides the privilege escalation context, CVE-2024-8069 provides the code execution primitive. Both were patched by Citrix in November 2024 and added to the CISA KEV catalog simultaneously in August 2025.

Affected Versions

Technical Details

CWE-502 (Deserialization of Untrusted Data). The Citrix Session Recording server deserializes data received over the network without adequate validation of the serialized object's type or content. .NET deserialization vulnerabilities allow an attacker to craft a serialized object payload that, when deserialized by the server, executes arbitrary code — a technique well-documented for .NET's BinaryFormatter and related serialization mechanisms. The code execution occurs in the context of the service account running the Session Recording server component, which typically runs as the NetworkService account.

An attacker who can reach the Session Recording server's listening port — possible for any domain-authenticated user on the corporate network — can send a crafted deserialization payload to trigger code execution. Combined with CVE-2024-8068's privilege management flaw, the exploitation chain provides reliable code execution at NetworkService privilege on the Session Recording server.

Discovery

Reported to Citrix alongside CVE-2024-8068. Citrix published the security bulletin and patches in November 2024. The delay to CISA KEV addition (August 2025) indicates exploitation was discovered through threat intelligence after an extended period of unpatched deployments in enterprise environments.

Exploitation Context

Active exploitation was confirmed by CISA's August 25, 2025 KEV addition. The combination of CVE-2024-8069 (RCE) and CVE-2024-8068 (privesc) gives an attacker with domain network access code execution as the NetworkService account on the Session Recording server — from which lateral movement to other VDI infrastructure components is possible using the machine account credentials available to NetworkService. VDI environments are high-value targets as they concentrate access to multiple business-critical applications and may store session recordings of sensitive user activity.

Remediation

1. Apply the Citrix security bulletin patch for Session Recording immediately. Both CVE-2024-8069 and CVE-2024-8068 are addressed in the same patch.
2. If unable to patch immediately, restrict network access to the Session Recording server to only authorized Citrix VDI infrastructure — block direct access from general user workstations.
3. Review the Session Recording server's event logs and network connections for signs of unauthorized deserialization payload delivery prior to patching.
4. See also CVE-2024-8068 (privilege escalation) — the two vulnerabilities are typically chained and should be patched together.
5. Rotate the Session Recording service account credentials and audit its Active Directory permissions post-patch.