Summary:
CISA is advising organizations to promptly patch a critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). Tracked as CVE-2024-12356, this flaw has been assigned a CVSS score of 9.8, indicating a critical level of severity. Notably, the vulnerability can be exploited without authentication, allowing remote attackers to execute underlying operating system commands within the context of the site user.

BeyondTrust has confirmed that CVE-2024-12356 affects all PRA and RS versions up to 24.3.1. The vendor deployed fixes to cloud customers last week, and is currently working to ensure that all customer instances—both cloud-based and self-hosted—are fully patched and secure.

Security Officer Comments:
BeyondTrust revealed that it identified the vulnerability following a forensic investigation into the compromise of a limited number of customer Remote Support SaaS instances. Although the vendor did not confirm whether CVE-2024-12356 was exploited in these incidents, CISA has add the flaw to its Known Exploited Vulnerabilities (KEV) list, and urging federal agencies to apply the available patches within one week, by December 27.

Suggested Corrections:
CVE-2024-12356 is addressed through a patch available for all supported releases of RS and PRA version 22.1.x and higher. As of December 16, 2024, the patch has been applied to all RS/PRA cloud customers, effectively remediating the vulnerability. On-premise customers should apply the patch manually if their instance is not subscribed to automatic updates via the /appliance interface. Additionally, customers using versions older than 22.1 must first upgrade to a supported release in order to apply the patch.

Link(s):
https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-beyondtrust-vulnerability/