Latest Cyber Security News

You are here: Home / General Cyber Security News / CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List
December 20, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), is a command injection flaw that could be exploited by a malicious actor to run arbitrary commands as the site user.

“BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user,” CISA said.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

While the issue has already been plugged into customers’ cloud instances, those using self-hosted versions of the software are recommended to update to the below versions –

  • Privileged Remote Access (versions 24.3.1 and earlier) – PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2
  • Remote Support (versions 24.3.1 and earlier) – RS patch BT24-10-ONPREM1 or BT24-10-ONPREM2

News of active exploitation comes after BeyondTrust revealed that it was the victim of a cyber attack earlier this month that allowed unknown threat actors to breach some of its Remote Support SaaS instances.

The company, which has enlisted the help of a third-party cybersecurity and forensics firm, said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.

Its probe has since uncovered another medium-severity vulnerability (CVE-2024-12686, 6.6) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. The newly discovered flaw has been addressed in the below versions –

  • Privileged Remote Access (PRA) – PRA patch BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6, and BT24-11-ONPREM7 (dependent on PRA version)
  • Remote Support (RS) – RS patch BT24-11-ONPREM1, BT24-11-ONPREM2, BT24-11-ONPREM3, BT24-11-ONPREM4, BT24-11-ONPREM5, BT24-11-ONPREM6, and BT24-11-ONPREM7 (dependent on RS version)

Cybersecurity

BeyondTrust makes no mention of either of the vulnerabilities being exploited in the wild. However, it has said that all affected customers have been notified. The exact scale of the attacks, or the identities of the threat actors behind them, is not known at present.

The Hacker News has reached out to the company for comment, and will update the piece if we hear back.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *