The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), is a command injection flaw that could be exploited by a malicious actor to run arbitrary commands as the site user.
“BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user,” CISA said.
While the issue has already been plugged into customers’ cloud instances, those using self-hosted versions of the software are recommended to update to the below versions –
- Privileged Remote Access (versions 24.3.1 and earlier) – PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2
- Remote Support (versions 24.3.1 and earlier) – RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2
News of active exploitation comes after BeyondTrust revealed that it was the victim of a cyber attack earlier this month that allowed unknown threat actors to breach some of its Remote Support SaaS instances.
The company, which has enlisted the help of a third-party cybersecurity and forensics firm, said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.
Its probe has since uncovered another medium-severity vulnerability (CVE-2024-12686, 6.6) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. The newly discovered flaw has been addressed in the below versions –
- Privileged Remote Access (PRA) – PRA patch BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6, and BT24-11-ONPREM7 (dependent on PRA version)
- Remote Support (RS) – RS patch BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6, and BT24-11-ONPREM7 (dependent on RS version)
BeyondTrust makes no mention of either of the vulnerabilities being exploited in the wild. However, it has said that all affected customers have been notified. The exact scale of the attacks, or the identities of the threat actors behind them, is not known at present.
The Hacker News has reached out to the company for comment, and will update the piece if we hear back.
