BeyondTrust has released patches for a critical-severity vulnerability in its Privileged Remote Access (PRA) and Remote Support (RS) products that could be exploited to execute arbitrary commands. The flaw was discovered during an investigation into a security incident impacting some customers.
BeyondTrust’s PRA provides management of privileged user accounts facilitating just-in-time secure access to enterprise environments, while RS enables authorized individuals to securely connect to remote systems and mobile devices.
Tracked as CVE-2024-12356 (CVSS score of 9.8), the security defect is described as an unauthenticated command injection bug that can be exploited using crafted client requests.
“Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user,” BeyondTrust notes in its advisory.
The issue impacts PRA and RS versions 24.3.1 and earlier. BeyondTrust has released a patch for all supported iterations of PRA and RS versions 22.1.x and higher and has applied the patch to cloud customers earlier this week.
“On-premise customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates in their /appliance interface. If customers are on a version older than 22.1, they will need to upgrade in order to apply this patch,” BeyondTrust explains.
According to the company, CVE-2024-12356 was identified during a forensic investigation into a recent security incident involving unauthorized access to a “limited number” of customers’ Remote Support SaaS instances.
“On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised. BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers,” the company explains.
No other BeyondTrust products were affected by the incident and the newly released patch for self-hosted instances is non-disruptive, causing no downtime, BeyondTrust says. Customers are advised to update their PRA and RS instances as soon as possible.
BeyondTrust has not clearly stated whether CVE-2024-12356 was exploited in attacks against its customers.
SecurityWeek has emailed the company for additional information and will update this article as soon as a reply arrives.
Related: Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites
Related: Google Pays $55,000 for High-Severity Chrome Browser Bug
Related: Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets
Related: API Security Matters: The Risks of Turning a Blind Eye
