CVE-2024-12356: Command Injection Flaw in BeyondTrust Products Exploited in the Wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability is already being actively exploited by malicious actors.
Identified as CVE-2024-12356, the vulnerability has been assigned a critical severity score of 9.8 on the CVSS scale. It is a Command Injection vulnerability that allows attackers to execute arbitrary commands with the privileges of the web application user.
According to CISA, the vulnerability affects BeyondTrust PRA and RS products, enabling unauthorized attackers to inject commands executed with site-level user privileges. For cloud users, updates addressing the issue have already been deployed. On-premises users are advised to apply patches BT24-10-ONPREM1 or BT24-10-ONPREM2 to secure their systems.
Reports of active exploitation emerged shortly after BeyondTrust disclosed a cyberattack targeting its Remote Support SaaS platform. Attackers gained access to an API key, which they used to reset passwords for local accounts.
During the subsequent investigation, conducted with the assistance of third-party experts, another vulnerability of moderate severity—CVE-2024-12686 (CVSS 6.6)—was discovered. This flaw enables attackers with administrative privileges to execute commands with site-level user rights. The issue has been addressed in the latest software releases.
For PRA and RS users, patches BT24-11-ONPREM1 and subsequent updates are available depending on the version in use. BeyondTrust has confirmed that all affected clients have been notified but has refrained from disclosing the scale of the attack or the identity of the attackers.
The inclusion of CVE-2024-12356 in CISA’s KEV catalog underscores its critical nature. Users are strongly urged to apply the latest updates immediately to mitigate potential risks.
