The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a second security flaw affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products to its list of known vulnerabilities (KEV) catalog with reference to evidence of active exploitation in the wild.
The vulnerability in question CVE-2024-12686 (CVSS Score: 6.6), a moderate vulnerability that could allow an attacker with existing administrative privileges to enter commands and operate as a site user.
“BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that could be used by an attacker with existing administrative privileges to download a malicious file,” CISA said.
“Successful exploitation of this vulnerability could allow a remote attacker to execute basic operating system commands in the context of the site user.”
The addition of CVE-2024-12686 to the KEV catalog comes nearly a month after it added another critical security flaw affecting the same product (CVE-2024-12356CVSS score: 9.8), which can also cause arbitrary commands to be executed.
BeyondTrust said both vulnerabilities were discovered as part of an investigation into a cyber incident in early December 2024 in which attackers used a compromised Remote Support SaaS API key to compromise some instances and reset passwords for local application accounts.
Although the API key has been revoked, the exact way in which it was compromised is still unknown. It is suspected that threat actors used the two flaws as zero days to compromise BeyondTrust’s systems.
Earlier this month, the US Treasury Department revealed its network was hacked using a compromised API key in what it said was a “major cyber security incident”. The hack was blamed on a Chinese government group called Silk typhoon (aka hafnium).
The threat actors are believed to have specifically targeted the Office of Foreign Assets Control (OFAC), the Office of the Financial Conduct Authority and the Committee on Foreign Investment in the United States (CFIUS), according to multiple reports from Washington Post and CNN.
Also added to the KEV catalog is a patched critical security vulnerability affecting Qlik Sense (CVE-2023-48365, CVSS Score: 9.9) that allows an attacker to elevate privileges and execute HTTP requests on the backend server hosting the software .
It should be noted that the security flaw has been actively exploited in the past Cactus ransomware group. Federal agencies must apply the necessary patches by February 3, 2024 to protect their networks from active threats.
