Recent reports have highlighted a concerning trend in cybersecurity, as a significant number of BeyondTrust instances remain connected to the internet despite the known risks associated with a critical vulnerability being actively exploited by Chinese state-sponsored threat actors.
The vulnerability in question, tracked under CVE-2024-12356, is deemed highly severe with an assigned CVSS score of 9.8, impacting Privileged Remote Access (PRA) and Remote Support (RS) systems. First disclosed by BeyondTrust on December 16, 2024, the flaw quickly caught the attention of threat actors, leading to its addition to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities list. Within days, a Chinese state-sponsored hacker group had already leveraged the vulnerability to compromise the US Department of the Treasury, resulting in the theft of valuable data.
Despite widespread awareness of the ongoing threat posed by unpatched systems vulnerable to this exploit, a recent analysis conducted by Censys has revealed that there are still 8,602 instances of BeyondTrust PRA and RS systems connected to the internet, with a majority of these instances (72%) located within the United States. However, it is important to note that the analysis does not definitively confirm whether these exposed instances have been patched or remain vulnerable to exploitation.
Experts have pointed to the potential risks associated with self-hosted BeyondTrust deployments that have inadvertently been left open to the internet, emphasizing the importance of timely patching and hardening measures to mitigate against potential threats. With service providers typically offering centralized patching and monitoring capabilities for hosted services, organizations operating self-hosted deployments may face challenges in terms of detection, response, and remediation efforts.
In response to these findings, Bugcrowd CISO Trey Ford highlighted the trade-offs between self-hosted software-as-a-service (SaaS) models and hosted services in terms of operational efficiencies and threat intelligence integration. While self-hosted deployments may offer cost savings in licensing, they may lack the critical support and protection provided by service providers in terms of patching, hardening, and monitoring.
Notably, BeyondTrust cloud customers were promptly patched following the initial disclosure of the vulnerability in December 2024, highlighting the advantages of centralized services in ensuring timely and effective security updates. However, self-hosted versions of BeyondTrust may have required manual patching, potentially leading to delays or oversights in the mitigation process.
Cybersecurity expert John Bambenek emphasized the importance of limiting inbound connectivity to vulnerable systems, even in instances where patching may not be immediately feasible. By restricting access to trusted IP addresses only, organizations can enhance their defenses against potential threats and mitigate the risks associated with unpatched vulnerabilities.
As the cybersecurity landscape continues to evolve, it is crucial for organizations to prioritize proactive security measures, including timely patching, monitoring, and threat intelligence integration, to safeguard against emerging threats and minimize the potential impact of known vulnerabilities. The alarming number of unpatched BeyondTrust instances underscores the critical need for enhanced cybersecurity practices and measures to mitigate against evolving threats and protect sensitive data and systems from exploitation.