CVE-2024-12356

Name of the Vulnerable Software and Affected Versions BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions prior to 24.3.1 PostgreSQL (affected versions not specified)

Description A critical command injection vulnerability exists in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. This flaw allows an unauthenticated attacker to inject commands that are executed as a site user. The vulnerability, tracked as CVE-2024-12356, has a CVSS score of 9.8 and is actively exploited in the wild, including in attacks targeting the U.S. Treasury Department attributed to Chinese state-sponsored actors. The vulnerability stems from a failure to properly sanitize input, allowing attackers to execute arbitrary operating system commands. A related zero-day vulnerability was also discovered in PostgreSQL during investigations related to this issue. Approximately 8,600 systems are exposed globally, with a significant concentration in the United States. The vulnerability has been integrated into Patrowl and is being actively exploited. A breach of BeyondTrust's Remote Support SaaS instances occurred, enabling attackers to access an API and reset account passwords.

Recommendations For on-premise systems, upgrade to at least version 22.1.x before applying the patch. Upgrade BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) to version 24.02.001 or later. For cloud-hosted versions, upgrade to version 24.2.1 or later. If patching cannot be applied immediately, disconnect internet-facing appliances from public access. Enforce VPN-only administration. Apply strict IP allowlisting. Deploy Web Application Firewall (WAF) rules to block command injection patterns. At the moment, there is no information about a newer version that contains a fix for this vulnerability.