The US cybersecurity agency CISA is urging federal agencies to patch a second vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) enterprise solutions, based on evidence of active exploitation.
Tracked as CVE-2024-12686, the flaw is a medium-severity command injection issue that was discovered during BeyondTrust’s investigation into the compromise of a limited number of customer RS SaaS instances, including one associated with the US Department of Treasury.
The attack on the US Treasury was disclosed on December 31 and was attributed to Chinese hackers. The state-sponsored threat actor known as Silk Typhoon was reportedly responsible for the intrusion.
In early December 2024, BeyondTrust discovered that hackers had been using a compromised API key for a remote access service to target several customers, and announced that a critical zero-day vulnerability tracked as CVE-2024-12356 was identified during the investigation.
CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) list on December 19. Last week, CISA said it had no evidence that any other agency except the US Treasury was compromised in the BeyondTrust incident.
On Monday, the cybersecurity agency warned that CVE-2024-12686 – the second BeyondTrust bug identified during the security incident probe – has been exploited in the wild as well, and added it to the KEV catalog.
The security defect “can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user”, CISA says.
As mandated by Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable BeyondTrust PRA and RS instances in their environments and to apply the available patches. In this case, the deadline is February 3.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and prioritize patching the vulnerabilities it contains, or consider removing the affected products from their environments if patching is not possible.
US officials told the press in recent days that the Chinese cyberspies targeted several offices of the US Treasury, including ones dealing with foreign investments and sanctions.
Related: CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks
Related: CISA Issues Binding Operational Directive for Improved Cloud Security
Related: Why Custom IOCs Are Necessary for Advanced Threat Hunting and Detection
Related: Insider Threat: Tackling the Complex Challenges of the Enemy Within
