A new vulnerability affecting BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products now exists in the Known Exploited Vulnerabilities catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The CVE-2024-12686 vulnerability allows attackers with site admin rights to execute commands that grant system attribute access by impersonating site users.
The recent discovery of CVE-2024-12686 stands after BeyondTrust’s announcement of a critical CVE-2024-12356 flaw in their products. Two critical vulnerabilities emerged when BeyondTrust analyzed the December 2024 cyberattack. During the incident, attackers utilized a compromised Remote Support SaaS API key to penetrate multiple instances while resetting the passwords for local application user accounts. Analysts were unable to determine what caused the API key to become compromised.
Through state-sponsored Chinese hacking groups, malicious actors exploited these vulnerabilities in December to breach multiple systems, including those belonging to the U.S. Treasury Department. The attack provided unauthorized entry to the workstations through which hackers acquired access to sensitive, unclassified documents. The Treasury Department teamed up with the FBI, CISA, and other police agencies to analyze and minimize the effects of security breaches.
All cloud instances affected by the vulnerabilities received necessary patches from BeyondTrust, while self-hosted clients obtained security updates. CISA requires all federal agencies to apply these security patches by February 3 because it helps reduce ongoing security threats. Fast software vulnerability response from organizations stands as a critical requirement because it blocks malicious attackers while underscoring substantive cybersecurity frameworks.
