The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) software to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows confirmed reports of active exploitation in the wild.
The flaw, identified as CVE-2024-12356, carries a CVSS score of 9.8 and is classified as a command injection vulnerability. Malicious actors could exploit this issue to execute arbitrary commands with the same privileges as the site user.
CISA detailed the risk, stating:
Patch Availability and Recommendations
BeyondTrust has addressed the vulnerability for customers using its cloud-hosted solutions. However, users of self-hosted versions of the software are strongly advised to update to the following patched versions immediately:
- Privileged Remote Access (versions 24.3.1 and earlier):
Apply patches BT24-10-ONPREM1 or BT24-10-ONPREM2. - Remote Support (versions 24.3.1 and earlier):
Apply patches BT24-10-ONPREM1 or BT24-10-ONPREM2.
Recent BeyondTrust Cyber Attack and Additional Findings
This vulnerability disclosure comes shortly after BeyondTrust revealed a cyber attack earlier this month. Threat actors exploited the incident to gain unauthorized access to some Remote Support SaaS instances, using a compromised API key to reset local application account passwords.
During the investigation, BeyondTrust also identified another medium-severity vulnerability, CVE-2024-12686 (CVSS score: 6.6). This flaw could allow an attacker with existing administrative privileges to execute commands as a site user.
To address CVE-2024-12686, BeyondTrust has released multiple patches for both PRA and RS:
- Privileged Remote Access (PRA):
Patches BT24-11-ONPREM1 through BT24-11-ONPREM7 (specific versions dependent on PRA version). - Remote Support (RS):
Patches BT24-11-ONPREM1 through BT24-11-ONPREM7 (specific versions dependent on RS version).
No Evidence of Wider Exploitation Yet
BeyondTrust has stated that it has notified all affected customers regarding the vulnerabilities. However, the company has not confirmed whether either CVE-2024-12356 or CVE-2024-12686 has been exploited outside the previously identified incidents.
The scope of the cyber attacks and the identities of the threat actors remain unclear at this time. BeyondTrust has engaged a third-party cybersecurity and forensics firm to assist with the investigation.