{"id":28821,"date":"2024-12-20T22:45:18","date_gmt":"2024-12-20T22:45:18","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=28821"},"modified":"2024-12-20T22:45:18","modified_gmt":"2024-12-20T22:45:18","slug":"beyondtrust-remote-access-vulnerability","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/beyondtrust-remote-access-vulnerability\/","title":{"rendered":"BeyondTrust Remote Access Vulnerability Exploited, Update Now"},"content":{"rendered":"<p><strong>BeyondTrust\u2019s Privileged Remote Access (PRA) and Remote Support (RS) solutions have two vulnerabilities<\/strong>, identified as CVE-2024-12356 and CVE-2024-12686. These vulnerabilities enable unauthenticated command injection and privilege escalation. This means attackers can execute arbitrary commands and gain full control over enterprise systems.<\/p>\n<h2>BeyondTrust Critical Flaw Actively Exploited, CISA Warns<\/h2>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2024\/12\/19\/cisa-adds-one-known-exploited-vulnerability-catalog\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">has identified<\/a> a significant security vulnerability in BeyondTrust&#8217;s Privileged Remote Access and Remote Support software. The flaw, tracked as CVE-2024-12356, has been added to CISA&#8217;s Known Exploited Vulnerabilities catalog due to evidence of its active exploitation.<\/p>\n<figure id=\"attachment_28846\" aria-describedby=\"caption-attachment-28846\" style=\"width: 817px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/beyondtrust-security-advisory.png\" alt=\"Beyondtrust advisory\" width=\"817\" height=\"457\" class=\"size-full wp-image-28846\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/beyondtrust-security-advisory.png 817w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/beyondtrust-security-advisory-300x168.png 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/beyondtrust-security-advisory-768x430.png 768w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><figcaption id=\"caption-attachment-28846\" class=\"wp-caption-text\">Official note from BeyondTrust regarding the vulnerability<\/figcaption><\/figure>\n<p>CVE-2024-12356 is a critical command injection <a href=\"https:\/\/gridinsoft.com\/vulnerability\">vulnerability<\/a> affecting BeyondTrust&#8217;s Privileged Remote Access and Remote Support software. This flaw has been assigned <strong>a CVSS score of 9.8<\/strong>, categorizing it as critical.<\/p>\n<p>Commands are executed with the permissions of the &#8220;site user&#8221;, meaning the attacker does not require valid credentials. This vulnerability arises from the software&#8217;s failure to properly validate user input before executing it in system-level commands or scripts.<\/p>\n<h2>Affected Software and Fixes<\/h2>\n<p>This vulnerability affects PRA and RS software versions <strong>24.3.1 and earlier<\/strong>. Although BeyondTrust has secured its cloud-hosted instances, self-hosted users must apply the following patches to mitigate the issue: Privileged Remote Access BT24-10-ONPREM1 or BT24-10-ONPREM2, and Remote Support BT24-10-ONPREM1 or BT24-10-ONPREM2.<\/p>\n<p>Earlier this month, BeyondTrust revealed a cyberattack targeting its Remote Support SaaS platform. Attackers exploited a compromised Remote Support SaaS API key to reset passwords for local application accounts.<\/p>\n<div class=\"box\">Remote access programs are powerful applications, though may have immense potential for malicious misuse. We have a dedicated article about their weaponized version &#8211; <a href=\"https:\/\/gridinsoft.com\/blogs\/remote-access-trojan-meaning\/\">remote access trojans<\/a>, consider checking it out.<\/div>\n<h2>Additional Vulnerability Discovered<\/h2>\n<p>During its investigation, BeyondTrust identified another vulnerability, <strong>CVE-2024-12686 (CVSS score: 6.6)<\/strong>. This medium-severity issue also enables command injection but unlike CVE-2024-12356,  requires an attacker to have existing administrative privileges. Fixes for this vulnerability depend on the specific PRA or RS version and include patches BT24-11-ONPREM1 through BT24-11-ONPREM7.<\/p>\n<p>BeyondTrust has not observed active exploitation of the medium-severity vulnerability and has informed all affected customers. The company has engaged a third-party cybersecurity firm to assist with its investigation, but details about the scale of the attack or the identity of <a href=\"https:\/\/gridinsoft.com\/hacker\">the threat actors<\/a> remain unknown. Organizations using BeyondTrust&#8217;s PRA or RS software should immediately review their deployment and apply the necessary patches to prevent exploitation.<\/p>\n<p>As for individual users, it\u2019s reasonable to consider using an additional anti-malware solution for enhanced security. For instance, <strong>GridinSoft Anti-Malware<\/strong> can offer an extra layer of protection and help prevent unwanted activity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>BeyondTrust\u2019s Privileged Remote Access (PRA) and Remote Support (RS) solutions have two vulnerabilities, identified as CVE-2024-12356 and CVE-2024-12686. These vulnerabilities enable unauthenticated command injection and privilege escalation. This means attackers can execute arbitrary commands and gain full control over enterprise systems. BeyondTrust Critical Flaw Actively Exploited, CISA Warns The U.S. Cybersecurity and Infrastructure Security Agency [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":28836,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[619,315,374],"class_list":{"0":"post-28821","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cybersecurity","9":"tag-exploit","10":"tag-vulnerability"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/12\/BeyondTrust-Remote-Access-Vulnerability-Exploited.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=28821"}],"version-history":[{"count":10,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28821\/revisions"}],"predecessor-version":[{"id":28844,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/28821\/revisions\/28844"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/28836"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=28821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=28821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=28821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}