Despite the urgent warnings of Chinese state-sponsored threat actors exploiting a critical vulnerability in unpatched BeyondTrust systems, a surprising number of instances remain connected to the Internet.
The vulnerability, known as CVE-2024-12356, with a CVSS score of 9.8, impacts Privileged Remote Access (PRA) and Remote Support (RS) systems. BeyondTrust first reported it on Dec. 16, 2024, and it was quickly added to CISA’s list of Known Exploited Vulnerabilities. Chinese hackers exploited the flaw to breach the US Department of the Treasury shortly after.
Censys analysis revealed that 8,602 BeyondTrust PRA and RS instances are still accessible online, with 72% located in the US. However, it remains uncertain whether these instances have been patched or not.
BeyondTrust claims that all self-hosted instances have been force updated, but it is unclear if these exposed instances are indeed protected. Security experts warn that leaving self-hosted deployments open to the Internet poses significant risks.
Bugcrowd CISO Trey Ford highlights the tradeoff between hosted services and self-hosted models in terms of security and patch management. While self-hosted solutions may offer cost savings, they lack the centralized protection provided by service providers.
Cloud customers of BeyondTrust were automatically patched as soon as the vulnerability was disclosed, emphasizing the importance of timely updates and centralized security measures.
John Bambenek, cybersecurity expert, suggests limiting inbound connectivity to vulnerable BeyondTrust tools for self-hosted deployments that cannot be patched immediately. This proactive approach can help mitigate the risk of exploitation.
