FlagThis

BeyondTrust has confirmed a security breach affecting its Remote Support SaaS instances. Hackers exploited a compromised API key to reset account passwords, gaining unauthorized access. The company detected anomalous activity in early December, which led to the discovery of the compromised API key and subsequent quarantine of affected SaaS instances. BeyondTrust immediately revoked the API key and provided alternative instances for impacted customers.

The investigation revealed two critical vulnerabilities, CVE-2024-12356, a command injection flaw with a critical score of 9.8 and CVE-2024-12686, a privilege escalation vulnerability with a medium severity score of 6.6. The command injection vulnerability allows unauthenticated attackers to execute arbitrary commands, while the privilege escalation flaw enables attackers with administrative privileges to upload malicious files and run commands. BeyondTrust has released patches to address these vulnerabilities for both cloud and on-premise customers. The U.S. CISA has added the command injection flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and the need for immediate patching.

ImgSrc: www.bleepstatic.com

References:

• Cyber Security News - Cyberpress article on BeyondTrust patching PRA and RS flaws. - 7d
• Vulnerability Archives - CVE-2024-12356 (CVSS 9.8): Critical Vulnerability in BeyondTrust PRA and RS Enables Remote Code Execution - 7d
• The Hacker News - BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products - 7d
• Security Risk Advisors - Critical Command Injection Vulnerability in BeyondTrust Remote Access Products Enables Unauthenticated RCE - 7d
• www.beyondtrust.com - Critical command injection #vulnerability in #BeyondTrust Remote Support/PRA allows unauthenticated system access - 6d
• @screaminggoat - BeyondTrust : Apparently BeyondTrust discovered the vulnerabilities CVE-2024-12356 (see parent toot above) as well as (6.6 medium, disclosed ) Command Injection vulnerability in Remote Support(RS) & P - 6d
• Over Security - BeyondTrust says hackers breached remote support SaaS instances - 6d
• www.heise.de - Critical security gap in BeyondTrust Privileged Remote Access and Remote Support - 6d
• @heiseonlineenglish - Critical security gap in BeyondTrust Privileged Remote Access and Remote Support The developers have closed a dangerous vulnerability in current versions of BeyondTrust Privileged Remote Access and Re - 6d
• www.beyondtrust.com - BeyondTrust : Apparently BeyondTrust discovered the vulnerabilities CVE-2024-12356 (see parent toot above) as well as (6.6 medium, disclosed ) Command Injection vulnerability in Remote Support(RS) & P - 6d
• @screaminggoat - CISA : Very hot! 🥵 Page isn't live yet (access denied), but it's BeyondTrust CVE-2024-12356 (see parent toots above) NOTE THE DUE DATE!! This is a very important vulnerability to CISA! - 6d
• www.beyondtrust.com - Security Advisory: Command Injection vulnerability in Remote Support - 6d
• SOCRadar - Socradar article about BeyondTrust security incident - command injection. - 5d
• Security Archives - U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog - 5d
• @infosecnews.bsky.social - Bsky post about hackers breaching BeyondTrust’s Remote Support SaaS instances. - 5d
• Latest from TechRadar - BeyondTrust says hackers hit its remote support products - 5d
• GBHackers Security - GBHackers - CISA Warns of BeyondTrust Privileged Remote Access Exploited in Wild - 5d

Classification:

• HashTags: BeyondTrust DataBreach APIsecurity
• Company: BeyondTrust
• Target: BeyondTrust Users
• Product: Remote Support
• Feature: command injection
• Type: Hack
• Severity: Critical