FlagThis

BeyondTrust has confirmed a security breach affecting its Remote Support SaaS instances. Hackers exploited a compromised API key to reset account passwords, gaining unauthorized access. The company detected anomalous activity in early December, which led to the discovery of the compromised API key and subsequent quarantine of affected SaaS instances. BeyondTrust immediately revoked the API key and provided alternative instances for impacted customers.

The investigation revealed two critical vulnerabilities, CVE-2024-12356, a command injection flaw with a critical score of 9.8 and CVE-2024-12686, a privilege escalation vulnerability with a medium severity score of 6.6. The command injection vulnerability allows unauthenticated attackers to execute arbitrary commands, while the privilege escalation flaw enables attackers with administrative privileges to upload malicious files and run commands. BeyondTrust has released patches to address these vulnerabilities for both cloud and on-premise customers. The U.S. CISA has added the command injection flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and the need for immediate patching.

ImgSrc: www.bleepstatic

References :

• Cyber Security News: Cyberpress article on BeyondTrust patching PRA and RS flaws.
• securityonline.info: CVE-2024-12356 (CVSS 9.8): Critical Vulnerability in BeyondTrust PRA and RS Enables Remote Code Execution
• The Hacker News: BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products
• Security Risk Advisors: Critical Command Injection Vulnerability in BeyondTrust Remote Access Products Enables Unauthenticated RCE
• www.beyondtrust.com: Critical command injection #vulnerability in #BeyondTrust Remote Support/PRA allows unauthenticated system access
• : BeyondTrust : Apparently BeyondTrust discovered the vulnerabilities CVE-2024-12356 (see parent toot above) as well as (6.6 medium, disclosed ) Command Injection vulnerability in Remote Support(RS) & Privilege Remote Access (PRA) while investigating a security breach that occurred in Remote Support SaaS instances on or about 05 December 2024.
• www.bleepingcomputer.com: BeyondTrust says hackers breached remote support SaaS instances
• www.heise.de: Critical security gap in BeyondTrust Privileged Remote Access and Remote Support
• heise online English: Critical security gap in BeyondTrust Privileged Remote Access and Remote Support The developers have closed a dangerous vulnerability in current versions of BeyondTrust Privileged Remote Access and Remote Support.
• www.beyondtrust.com: BeyondTrust : Apparently BeyondTrust discovered the vulnerabilities CVE-2024-12356 (see parent toot above) as well as (6.6 medium, disclosed ) Command Injection vulnerability in Remote Support(RS) & Privilege Remote Access (PRA) while investigating a security breach that occurred in Remote Support SaaS instances on or about 05 December 2024.
• : CISA : Very hot! 🥵 Page isn't live yet (access denied), but it's BeyondTrust CVE-2024-12356 (see parent toots above) NOTE THE DUE DATE!! This is a very important vulnerability to CISA!
• www.beyondtrust.com: Security Advisory: Command Injection vulnerability in Remote Support
• socradar.io: Socradar article about BeyondTrust security incident - command injection.
• securityaffairs.com: U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog
• bsky.app: Bsky post about hackers breaching BeyondTrust’s Remote Support SaaS instances.
• Latest from TechRadar: BeyondTrust says hackers hit its remote support products
• gbhackers.com: GBHackers - CISA Warns of BeyondTrust Privileged Remote Access Exploited in Wild

Classification:

• HashTags: #BeyondTrust #DataBreach #APIsecurity
• Company: BeyondTrust
• Target: BeyondTrust Users
• Product: Remote Support
• Feature: command injection
• Type: Hack
• Severity: Critical