CISA Includes Critical Vulnerability in BeyondTrust Software on Exploited Vulnerabilities List

The Cybersecurity and Infrastructure Security Agency (CISA) has recently flagged a significant security vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products. This vulnerability, designated as CVE-2024-12356, boasts a critical CVSS score of 9.8 and involves a command injection flaw that could be exploited by malicious actors to execute arbitrary commands with the privileges of the site user.

BeyondTrust has acknowledged that its products contain this serious vulnerability, which allows unauthenticated attackers to inject commands that execute under the context of legitimate users. This flag by CISA comes in response to evidence suggesting the vulnerability is actively being exploited in the wild.

For organizations utilizing self-hosted versions of BeyondTrust products, immediate updates are recommended. Affected versions include Privileged Remote Access up to version 24.3.1 and Remote Support also up to version 24.3.1. The patches for these software versions are labeled accordingly as BT24-10-ONPREM1 and BT24-10-ONPREM2 respectively.

This warning arrives on the heels of BeyondTrust confirming it was targeted in a cyber incident that allowed threat actors to breach certain Remote Support SaaS instances earlier this month. A third-party cybersecurity firm has been brought in to assist with investigations, revealing attackers may have gained unauthorized access to an API key used within the Remote Support system capable of resetting application account passwords.

Furthermore, the investigation has uncovered another medium-severity vulnerability, designated as CVE-2024-12686 (CVSS score: 6.6), which permits an attacker with existing administrative privileges to inject commands and operate as a site user. Similar patches addressing this vulnerability have been issued and are essential for organizational compliance and security.

BeyondTrust has not disclosed whether either vulnerability has been exploited during the previous attacks, stating that all parties potentially affected have been informed. However, the extent of these attacks and the identities of the attackers remain uncertain at this time. This situation underscores the need for organizations to maintain robust cybersecurity standards, particularly when utilizing remote access tools that may expose them to increased risk.

In terms of the methodologies employed in these attacks, relevant tactics from the MITRE ATT&CK framework could include initial access, as attackers likely exploited the vulnerabilities to gain entry, followed by privilege escalation actions to execute commands on the compromised systems. Organizations must remain vigilant in monitoring for unusual activity and ensuring prompt application of patches to mitigate risks stemming from such vulnerabilities.

The Hacker News has reached out to BeyondTrust for further clarification on these incidents and will provide updates as they become available. This ongoing situation serves as a critical reminder of the ever-evolving landscape of cybersecurity threats and the importance of proactive measures in safeguarding sensitive information.