BeyondTrust has disclosed a critical command injection vulnerability (CVE-2024-12356, CVSS score: 9.8) in its Privileged Remote Access (PRA) and Remote Support (RS) products, allowing unauthenticated attackers to execute arbitrary commands. The flaw impacts PRA and RS versions 24.3.1 and earlier, with patches available via updates BT24-10-ONPREM1/2 for on-premise users and already applied to cloud instances as of December 16, 2024. Discovered during a forensic investigation into a December 2 security incident affecting some Remote Support SaaS customers, the breach involved a compromised API key, which was immediately revoked. BeyondTrust continues to investigate the incident's root cause and impact with external cybersecurity experts.