CISA: BeyondTrust flaw CVE-2024-12686 exploited in the wild

Another vulnerability in BeyondTrust's Privileged Remote Access and Remote Support products has been exploited in the wild, according to CISA.

CVE-2024-12686 is a medium-severity OS command injection flaw affecting versions 24.3.1 and earlier of BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) tools. The software vendor discovered the vulnerability, which it disclosed on Dec. 18, while investigating customer breaches early last month. Chinese nation-state hackers gained access to an RS API key and used it to breach the SaaS instances of a "limited number" of BeyondTrust customers, including the U.S. Treasury Department.

As part of the investigation into the SaaS breaches, BeyondTrust disclosed a critical command injection flaw, tracked as CVE-2024-12356, in PRA and RS. However, a dedicated incident status page did not mention that either CVE-2024-12356 or CVE-2024-12686 were exploited. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog on Dec. 19.

On Monday, CISA added CVE-2024-12686 to KEV, saying that defenders should "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable." Under KEV's standard patch deadlines, federal agencies must apply mitigations or discontinue PRA and RS use by Feb. 3.

According to BeyondTrust's security advisory for CVE-2024-12686, all vulnerable versions of PRA and RS contain a command injection flaw that can be exploited by a user with admin privileges to upload malicious files. "Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user," BeyondTrust said.

The vendor addressed the issue through a patch available for supported releases of RS and PRA, versions 22.1 and higher. Customers with older versions must upgrade to apply relevant patches.

A spokesperson for BeyondTrust confirmed to Informa TechTarget that the company was aware that the vulnerability was added to KEV and shared the following statement:

BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then. No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts. BeyondTrust posted information regarding the incident and the on-going investigation on its website on December 8, 2024, including a summary, timeline, and indicators. The security advisory has been updated since then as part of BeyondTrust's commitment to updating customers through the completion of this matter.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.