BeyondTrust’s Privileged Remote Access and Remote Support products have once again come under scrutiny as a new vulnerability, CVE-2024-12686, has been discovered and exploited in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA). This medium-severity OS command injection flaw affects versions 24.3.1 and earlier of BeyondTrust’s PRA and RS tools. The vulnerability was initially uncovered by the software vendor while investigating customer breaches that occurred last month, involving Chinese nation-state hackers gaining access to an RS API key and breaching the SaaS instances of various BeyondTrust customers, including the U.S. Treasury Department.
In response to the SaaS breaches, BeyondTrust disclosed a critical command injection flaw, CVE-2024-12356, in PRA and RS. However, the incident status page did not explicitly mention that either CVE-2024-12356 or CVE-2024-12686 had been exploited. CISA subsequently added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog on Dec. 19, following with the inclusion of CVE-2024-12686 on Monday.
Federal agencies are now required to apply mitigations or discontinue the use of PRA and RS by Feb. 3, as per CISA’s standard patch deadlines. According to BeyondTrust’s security advisory, the command injection flaw in vulnerable versions of PRA and RS allows an admin user to upload malicious files, potentially enabling a remote attacker to execute operating system commands within the context of the site user.
BeyondTrust has released patches for supported versions of RS and PRA, starting from version 22.1. Customers using older versions are advised to upgrade in order to apply the necessary patches and secure their systems. A spokesperson for BeyondTrust confirmed the company’s awareness of the vulnerability being added to KEV and provided a statement regarding the security incident that occurred in early December 2024, reassuring customers that BeyondTrust has been cooperating with law enforcement and supporting investigative efforts.
As incidents of security breaches and vulnerabilities continue to plague organizations and government agencies, the importance of timely patching and mitigation strategies cannot be overstated. BeyondTrust’s proactive approach to addressing vulnerabilities and providing patches underscores the ongoing commitment to ensuring the security and integrity of their products and services.
In conclusion, the discovery and exploitation of CVE-2024-12686 in BeyondTrust’s Privileged Remote Access and Remote Support products serve as a stark reminder of the ever-evolving threat landscape and the need for vigilance in securing critical systems and information. It is imperative that organizations stay informed, take prompt action to apply patches and mitigations, and collaborate with vendors and security agencies to effectively combat cyber threats in today’s digital age.