Cybersecurity Alert: BeyondTrust Remote Support SaaS Service Vulnerability

News Brief

The Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, also known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog.

Background of the Vulnerability

The medium-severity security bug was discovered as part of BeyondTrust’s Remote Support SaaS Service security investigation, launched after a major data breach at the US Treasury Department. The breach was reportedly caused by the Chinese hacking group, Silk Typhoon, which gained credentials to Treasury workstations through a third-party vendor and then stole data. BeyondTrust identified BT24-11 within its self-hosted and cloud Remote Support and Privileged Remote Access products, just two days after reporting BT24-10.

Update on the Vulnerability

On January 6, BeyondTrust reported that its forensic investigation is nearly complete and that all software-as-a-service instances of BeyondTrust Remote Support have been fully patched with no new identified victims. The company stated that "all cloud instances have been patched for this vulnerability" and that a patch for self-hosted versions has also been released.

CISA’s Warning

CISA warned that the vulnerability "can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user." This would allow a remote attacker to execute underlying operating system commands.