The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system.
The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has set the patch deadline for federal agencies to September 15th.
Git version control system allows software development teams to track codebase changes over time. The library is the backbone of modern software collaboration, serving as the basis for platforms such as GitHub, GitLab, and Bitbucket.
The exploited vulnerability in Git has a high-severity score and is tracked as CVE-2025-48384. It stems from Git’s mishandling of carriage return (r) characters in configuration files.
A mismatch between how Git writes and reads these characters causes incorrect submodule path resolution.
Attackers can exploit the issue by publishing repositories with submodules ending in r and a crafted symlink with a malicious hook setup, leading to arbitrary code execution on the machines of users who clone them.
Git discovered the issue on July 8, 2025, and pushed fixes in the following versions: 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
If updating is not possible, the recommendation is to avoid recursive submodule clones from untrusted sources, disable Git hooks globally via core.hooksPath, or enforce only audited submodules.
Along with the Git flaw, CISA also added to the KEV catalog two Citrix Session Recording vulnerabilities that the vendor fixed in November 2024, namely CVE-2024-8068 and CVE-2024-8069. Both security issues received a medium-severity score.
CVE-2024-8068 allows an authenticated user in the same Active Directory domain as the Session Recording server to escalate privileges to the NetworkService account.
CVE-2024-8069 enables an authenticated intranet user to achieve limited remote code execution with NetworkService privileges through deserialization of untrusted data.
The flaws affect Citrix Session Recording before 2407 hotfix 24.5.200.8 (CR), 1912 LTSR before CU9 hotfix 19.12.9100.6, 2203 LTSR before CU5 hotfix 22.03.5100.11, and 2402 LTSR before CU1 hotfix 24.02.1200.16.
CISA has given organizations the same deadline, September 15th, to apply the fixes provided by the vendor or to stop using the products.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
