The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added critical security flaw affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products for known vulnerabilities (KEV) catalog with reference to evidence of active exploitation in the wild.
Vulnerability, tracked as CVE-2024-12356 (CVSS Score: 9.8) is a command injection flaw that could be used by an attacker to execute arbitrary commands as a site user.
“BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability that could allow an unauthenticated attacker to enter commands that execute on behalf of a site user,” CISA said.
While the issue has already been patched to cloud-based customer instances, those using proprietary versions of the software are advised to upgrade to the following versions:
- Privileged Remote Access (versions 24.3.1 and earlier) – PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2
- Remote support (versions 24.3.1 and earlier) – RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2
News of active exploitation comes after BeyondTrust revealed that it was the victim of a cyberattack earlier this month that allowed unknown threat actors to compromise some of its Remote Support SaaS instances.
The company, which enlisted the help of a third-party cybersecurity and forensics firm, said an investigation into the incident revealed that attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.
His probe has been ever since uncovered other moderate vulnerability (CVE-2024-126866.6), which may allow an attacker with existing administrative privileges to enter commands and operate as a site user. A recently discovered bug has been fixed in the following versions –
- Privileged Remote Access (PRA) – Patch PRA BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6 and BT24-11-ONPREM7 (depending on PRA version)
- Remote Support (RS) – RS patches BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6 and BT24-11-ONPREM7 ( depending on RS version)
BeyondTrust does not mention any of the vulnerabilities being exploited in the wild. However, it said all affected customers had been notified. The exact scale of the attacks or the identities of the individuals behind them are currently unknown.
Hacker News has reached out to the company for comment and will update the article when they hear back.