BeyondTrust, a privileged access management company, reported a cyberattack in early December 2024. The company detected unusual activity on its network on December 2nd. An investigation confirmed that threat actors had breached some of its Remote Support SaaS instances.
The attackers used a compromised API key to reset passwords for local application accounts. BeyondTrust stated that a “limited number” of Remote Support SaaS customers were affected. On December 5th, the company revoked the API key, notified impacted customers, and suspended the affected instances.
Alternative Remote Support SaaS instances were provided to those customers. It is not clear if the hackers used the compromised instances to breach downstream customers. However, the incident exposed two critical vulnerabilities.
The first, CVE-2024-12356, is a critical command injection flaw affecting Remote Support and Privileged Remote Access products. It can allow an unauthenticated, remote attacker to execute operating system commands. The second issue, CVE-2024-12686, is a medium-severity vulnerability.
BeyondTrust identifies critical security vulnerabilities
It enables attackers with administrative privileges to inject commands and upload malicious files. BeyondTrust has not confirmed active exploitation of these flaws.
Patches for the two vulnerabilities were automatically applied to all cloud instances. Customers with self-hosted instances will need to manually update their systems. BeyondTrust assured that investigations are ongoing and updates will be provided.
The company emphasized that there had been no encounters with ransomware during this intrusion. BeyondTrust stated, “As of this time, we have not encountered any instances of ransomware. Our investigation is ongoing, and we are working with independent third-party cybersecurity firms to conduct a thorough investigation.”
CISA later confirmed that CVE-2024-12356 had been exploited in attacks but did not share additional details.
Federal agencies are being urged to patch the critical vulnerability within one week. The issue impacts all PRA and RS versions up to 24.3.1.
BeyondTrust has rolled out fixes for cloud customers and released a patch for on-premises installations. The company is focused on ensuring all customer instances are fully updated and secure.
It continues to investigate the incident with assistance from independent cybersecurity firms.
