Date of Disclosure (source): December 16, 2024
Date Reported as Actively Exploited (source): December 19, 2024
**Update** (January 6, 2025): As of January 6, 2025, we observed 13,548 exposed BeyondTrust Remote Support & Privileged Remote Access Instances online, approximately 5k more than the 8,602 instances we reported on January 2, 2025. We’ve modified our detection methods for these devices since the original advisory was published, and numbers may continue to fluctuate over the next couple of days.
CVE-2024-12356 is a critical vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products before RS & PRA 24.3.1 with a CVSS score of 9.8.
If successfully exploited, it allows an unauthenticated threat actor to execute underlying operating system commands within the context of the site user. This vulnerability is known to be exploited and was published in CISA’s list of known exploited vulnerabilities on December 19, 2024.
A recent breach reported by BleepingComputer involved unauthorized access to BeyondTrust RS SaaS instances using a compromised API key. In a separate incident reported by the Federal News Network, the Treasury Department acknowledged that Chinese hackers accessed several unclassified systems. Hackers used a stolen key from BeyondTrust to assist in overriding the service’s security, allowing them to access several employee workstations.
BeyondTrust is conducting an ongoing security investigation related to these incidents, but they have not explicitly confirmed exploitation of CVE-2024-12356 in relation to either attack.
| Field |
Details |
| CVE-ID |
CVE-2024-12356 – CVSS 9.8 (critical) – assigned by BeyondTrust |
| Vulnerability Description |
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. |
| Date of Disclosure |
December 16, 2024 |
| Affected Assets |
BeyondTrust PRA and RS products |
| Vulnerable Software Versions |
RS & PRA 24.3.1 and earlier |
| PoC Available? |
While not a public exploit, cloudefence published a PoC on GitHub with a link to an exploit behind a paywall. |
| Exploitation Status |
This vulnerability was added to CISA’s list of known exploited vulnerabilities on December 19, 2024. |
| Patch Status |
This issue is fixed through a patch available for all supported releases of RS & PRA 22.1.x and higher. |
Censys Perspective
At the time of writing, Censys observed 8,602 exposed BeyondTrust RS & PRA instances. A large proportion of these (72%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available.
Map of Exposed BeyondTrust RS & PRA Instances:
Censys Search Query:
services.software: (vendor="BeyondTrust" and (product="Remote Support" or product="Privileged Remote Access")) and not labels: {tarpit, honeypot}
Censys ASM Query:
host.services.software: (vendor="BeyondTrust" and (product="Remote Support" or product="Privileged Remote Access")) and not host.labels: {tarpit, honeypot}
References
