Photo credit: www.darkreading.com

CISA Warns of Critical Vulnerability in BeyondTrust Tools

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert for federal agencies regarding a command injection vulnerability identified as CVE-2024-12686, also referred to as BT24-11. This vulnerability has been officially categorized in the Known Exploited Vulnerabilities (KEV) Catalog, emphasizing its significance in the cybersecurity landscape.

Discovered during a security investigation into BeyondTrust’s Remote Support Software as a Service (SaaS), the medium-severity bug has raised alarms particularly following a substantial data breach within the US Treasury Department. This incident, linked to a Chinese cybercriminal group known as Silk Typhoon, occurred in December 2024, allowing attackers to exploit vulnerabilities related to third-party vendors for unauthorized access to sensitive data.

On December 18, BeyondTrust acknowledged the identification of BT24-11 alongside another vulnerability, BT24-10, spotlighting the urgency of addressing these security flaws in their self-hosted and cloud-based remote access solutions.

As of January 6, BeyondTrust reported significant progress in their forensic investigation, indicating that all instances of BeyondTrust Remote Support hosted in the cloud had been thoroughly patched. They confirmed that there are no new victims linked to this vulnerability, thereby bolstering confidence in their remedial actions.

According to BeyondTrust’s recent update, “All cloud instances have been patched for this vulnerability,” reassuring users that self-hosted versions also received the necessary updates.

CISA elaborated on the nature of this vulnerability, clarifying that it “can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user.” This exploitation could enable adversaries to execute operating system commands remotely, potentially compromising the security of affected systems.

Source
www.darkreading.com