Citrix Recording Manager Zero-Day Bug Allows Unauthenticated RCE

The security vulnerability is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.

[Ed. note, Nov. 12 at 12:30 p.m. ET: Citrix has now issued patches for the issue and assigned CVE-2024-8068/CVE-2024-8069 for tracking.]
An unpatched zero-day
vulnerability in Citrix’s Session Recording Manager
allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover.
According to watchTowr research out today, the issue (which does not yet have a CVE or
CVSS score
) resides in Citrixs Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.
Citrix advertises the feature as being really useful for monitoring (somewhat obviously), but also for compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities, the watchTowr researchers noted in the
report
.
The feature logs session recordings via Microsoft Message Queuing (MSMQ), which enables efficient data transfer from individual computers to centralized storage. However, the Citrix implementation uses BinaryFormatter for serialization and deserialization of the information for easier and more accurate transfer and storage. The utility is unfortunately well-known
to be insecure
.
BinaryFormatter is a .NET class created by Microsoft, which is in the process of deprecating it: BinaryFormatter is insecure and cant be made secure. Applications should stop using [it] as soon as possible, even if they believe the data theyre processing to be trustworthy, the computing giant
said
in August.
On top of the BinaryFormatter issue, Recording Session Manager also involves an exposed MSMQ service that can be reached from any host via HTTP. This, combined with what watchTowr says are misconfigured permissions, paves the way for unauthenticated RCE.
Dark Reading has reached out for comment and planned patching or mitigation information from both watchTowr and Citrix. There is no evidence of in-the-wild exploitation yet, but given
Citrixs attractiveness as a cybercrime target
, that could soon change.
Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 am ET.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Citrix Recording Manager Zero-Day Bug Allows Unauthenticated RCE