• Vulnerable U
  • Posts
  • BeyondTrust PRA and RS Flaw Under Active Attack

BeyondTrust PRA and RS Flaw Under Active Attack

The company pushed a fix for CVE-2024-12356 to all cloud customers

Author

Newsroom
December 20, 2024

BeyondTrust has issued an emergency fix for a command injection vulnerability in two of its security products, and CISA is warning that the vulnerability is under active attack. The bug is rated critical and the vendor has pushed a fix to every customer that has automatic updates enabled. 

CVE: CVE-2024-12356

Why It Matters: The vulnerability affects all versions of Privileged Remote Access and Remote Support products, both of which are highly privileged enterprise solutions. Exploiting the vulnerability would give an attacker the ability to run commands on the underlying OS with high privileges. Security products are highly prized targets for attackers due to their privileged positions in networks and the data that they process and store. With the vulnerability under active exploitation, it should be a high priority for any organization that hasn’t already gotten the automatic update to patch it. 

Key Details

  • CVE-2024-12356 is a command injection bug that a remote unauthenticated attacker can exploit with just a malicious request

  • BeyondTrust pushed an automatic update on Dec. 16 to all cloud customers who have that subscription. On-premises customers without automatic updates can apply the patch manually.

  • CISA added the vulnerability to its Known Exploited Vulnerability catalog on Dec. 19 and urged all organizations to apply the fix as soon as possible

“All BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions contain a command injection vulnerability which can be exploited through a malicious client request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user. This issue is fixed through a patch available for all supported releases of RS & PRA 22.1.x and higher,” the company said in its advisory

Exploitation: Although CISA has added the bug to its KEV catalog, there are no public details about the exploitation activity or which threat actors are targeting the vulnerability.