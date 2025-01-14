Another vulnerability in BeyondTrust's Privileged Remote Access and Remote Support has been exploited in the wild, according to CISA.

CVE-2024-12686 is a medium severity OS command injection flaw affecting versions 24.3.1 and earlier of BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) tool. The software vendor disclosed the vulnerability on Dec. 18, which BeyondTrust discovered while investigating customer breaches early last month. Chinese nation-state hackers gained access to an RS API key and used it to breach the SaaS instances of a "limited number" of BeyondTrust customers, including the U.S. Treasury.

As part of the investigation into the SaaS breaches, BeyondTrust disclosed a critical command injection flaw, tracked as CVE-2024-12356, in BeyondTrust's PRA and RS. However, a dedicated incident status page did not mention that either CVE-2024-12356 or CVE-2024-12686 were exploited. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog on Dec. 19.

On Monday CISA added CVE-2024-12686 to KEV, saying that defenders should "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable." Under KEV's two-week standard patch deadlines, federal agencies must apply mitigations or discontinue PRA and RS use by Feb. 3.

According to BeyondTrust's security advisory for CVE-2024-12686, all vulnerable versions of PRA and RS contain a command injection flaw that can be exploited by a user with admin privileges to upload malicious files. "Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user," BeyondTrust said.

The vendor addressed the issue through a patch available for supported releases of RS and PRA, versions 22.1 and higher. Customers with older versions must upgrade to apply relevant patches.

A spokesperson for BeyondTrust confirmed to Informa TechTarget's SearchSecurity that the company was aware the vulnerability was added to the KEV and shared the following statement: