Critical Vulnerability Discovered in BeyondTrust Products
BeyondTrust has announced a significant security vulnerability affecting its Privileged Remote Access (PRA) and Remote Support (RS) products. This flaw, designated as CVE-2024-12356 and assigned a high CVSS score of 9.8, poses a serious risk of arbitrary command execution, potentially allowing unauthenticated attackers to exploit the system.
The affected PRA solutions are designed to manage and audit privileged accounts and provide zero-trust access to both on-premises and cloud resources. Meanwhile, the Remote Support product is utilized by service desk personnel for secure connections to remote systems and mobile devices. The vulnerability, identified as a command injection issue, can be activated through a specially crafted client request from an attacker, resulting in the execution of commands within the context of the site user.
The flaw impacts specific versions of both PRA and RS, particularly those prior to version 24.3.1. BeyondTrust has released fixes via patches (BT24-10-ONPREM1 and BT24-10-ONPREM2) for on-premise users. Notably, cloud instances received the necessary updates before December 16, 2024. Users operating on versions older than 22.1 are urged to upgrade to implement the available patch effectively.
This significant security breach was detected during an ongoing forensic investigation triggered by a previous incident on December 2, 2024, which implicated a limited subset of Remote Support SaaS customers. During this security review, BeyondTrust identified that a compromised API key for the Remote Support service had contributed to the vulnerability. The company responded promptly by revoking the key, alerting affected customers, and suspending the implicated instances to mitigate further risks.
Currently, BeyondTrust is working alongside an unnamed cybersecurity and forensics firm to comprehensively assess the causes and ramifications of the compromise. This investigation underscores the urgent need for organizations utilizing BeyondTrust’s products to remain vigilant and proactive in resolving the reported vulnerabilities to safeguard their systems from potential exploitation.
The tactics that may have been employed during the attack align with several components outlined in the MITRE ATT&CK Matrix. Initial access could have been gained through a variety of methods, while command execution aligns with privilege escalation techniques, enabling attackers to leverage their unauthorized access.
Business owners and IT professionals are strongly encouraged to monitor updates from BeyondTrust and ensure that their systems are fortified against such vulnerabilities, reinforcing the importance of regular software maintenance and adherence to cybersecurity best practices.
