The Cybersecurity and Infrastructure Security Agency (CISA) has added a second vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products to its Known Exploited Vulnerabilities (KEV) catalog. This addition comes amid confirmed malicious activity.
Identified as CVE-2024-12686, with a CVSS score of 7.2, the vulnerability enables attackers with administrative privileges to execute commands on behalf of a site user. CISA clarified that a cybercriminal could exploit this flaw to upload a malicious file and execute operating system commands.
The inclusion of CVE-2024-12686 follows the addition of another critical vulnerability in the same product—CVE-2024-12356, with a CVSS score of 9.8—just one month earlier. This vulnerability also facilitates the execution of arbitrary commands.
BeyondTrust revealed that both vulnerabilities were uncovered during an investigation into a cyber incident that occurred in December 2024. During this incident, attackers exploited a compromised Remote Support API key to access several company systems and alter local account passwords. Although the compromised key was revoked, the circumstances surrounding its exposure remain unclear. It is believed that the threats stemmed from the exploitation of zero-day vulnerabilities.
In early January, the U.S. Department of the Treasury disclosed that its network had been compromised using the aforementioned API key. The cyberattack has been attributed to the Chinese hacking group Silk Typhoon (Hafnium). Reports indicate that the attack targeted the Office of Foreign Assets Control (OFAC), the Office of Financial Research, and the Committee on Foreign Investment in the United States (CFIUS).
