Vulnerability Alert: BeyondTrust Privileged Remote Access and Remote Support Products Affected

U.S. Cybersecurity and Infrastructure Security Agency (CISA) Adds New Security Flaw to Known Exploited Vulnerabilities (KEV) Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

Vulnerability Details

The vulnerability in question is CVE-2024-12686 (CVSS score: 6.6), a medium-severity bug that could allow an attacker with existing administrative privileges to inject commands and run as a site user.

Background

BeyondTrust said both vulnerabilities were discovered as part of its investigation into a cyber incident in early December 2024 that involved malicious actors leveraging a compromised Remote Support SaaS API key to breach some of the instances, and reset passwords for local application accounts.

Exploitation and Impact

Although the API key has since been revoked, the exact manner in which the key was compromised remains unknown as yet. It’s suspected that the threat actors exploited the two flaws as zero-days to break into BeyondTrust systems.

Earlier this month, the U.S. Treasury Department revealed its network was breached using the compromised API key in what it said was a "major cybersecurity incident." The hack has been pinned on a Chinese state-sponsored group called Silk Typhoon (aka Hafnium).

Additional Vulnerability Added to KEV Catalog

The addition of CVE-2024-12686 to the KEV catalog comes nearly a month after it added another critical security flaw impacting the same product (CVE-2024-12356, CVSS score: 9.8) that could also lead to the execution of arbitrary commands.

Patching and Mitigation

Federal agencies are required to apply the necessary patches by February 3, 2024, to secure their networks against active threats.

Additional Vulnerability Added to KEV Catalog

Also added to the KEV catalog is a now-patched critical security vulnerability affecting Qlik Sense (CVE-2023-48365, CVSS score: 9.9) that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

It’s worth noting that the security flaw has been actively exploited in the past by the Cactus ransomware group.

Conclusion

The threat actors are believed to have specifically targeted the Treasury’s Office of Foreign Assets Control (OFAC), Office of Financial Research, and the Committee on Foreign Investment in the United States (CFIUS), according to multiple reports from the Washington Post and CNN.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.