The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, identified as CVE-2024-12356 (CVSS score: 9.8), is a command injection vulnerability that allows attackers to run arbitrary commands as a site user. The issue has been fixed for cloud instances, while users with self-hosted versions are advised to apply specific patches.

BeyondTrust also disclosed a separate cyber attack that compromised Remote Support SaaS instances, where attackers accessed an API key to reset local application account passwords. During the investigation, another medium-severity vulnerability (CVE-2024-12686, CVSS score: 6.6) was uncovered, which has been patched.

The exact scale of the attack and the perpetrators remain unknown, but all affected customers have been notified. Users are urged to update their software to mitigate these risks.

‍