Executive Summary
A critical authentication bypass and remote code execution vulnerability, tracked as CVE-2024-12356, has been identified in BeyondTrust's flagship products: Remote Support (RS) and Privileged Remote Access (PRA). This flaw enables unauthenticated attackers to execute arbitrary commands as the site user, providing a direct path to compromise enterprise environments. The vulnerability is being actively exploited in the wild, including in high-profile attacks attributed to state-sponsored actors. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation by adding this CVE to its Known Exploited Vulnerabilities (KEV) catalog on December 19, 2024. Immediate patching is mandatory to prevent compromise.
Technical Information
CVE-2024-12356 is a command injection vulnerability resulting from improper neutralization of special elements in shell scripts within BeyondTrust Remote Support and Privileged Remote Access appliances. The vulnerability is present in the thin-scc-wrapper shell script, which fails to sanitize user-supplied input. Attackers can exploit this flaw over the network, without authentication or user interaction, by sending specially crafted WebSocket requests to the /nw endpoint. The exploit chain leverages a secondary vulnerability in PostgreSQL (psql), tracked as CVE-2025-1094, which mishandles invalid UTF-8 byte sequences, enabling SQL injection and subsequent OS command execution.
The attack vector involves manipulating the Sec-WebSocket-Protocol and X-Ns-Company headers to inject malicious payloads. A working exploit is publicly available in the Metasploit framework, making exploitation trivial for both sophisticated and opportunistic threat actors. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-88 (Argument Injection), with a CVSS v3.1 base score of 9.8, reflecting its criticality.
Upon successful exploitation, attackers gain the ability to execute arbitrary shell commands as the site user, which can lead to full system compromise, lateral movement, data exfiltration, and persistence. Forensic evidence may include log entries indicating invalid UTF-8 byte sequences and the presence of attacker-created files in system directories such as /var/tmp/.
Exploitation in the Wild
CISA has confirmed that CVE-2024-12356 is actively exploited, adding it to the KEV catalog on December 19, 2024. The vulnerability has been weaponized in public exploit frameworks, including Metasploit, and has been used in high-profile attacks such as the breach of the U.S. Treasury Department. Exploitation is reliable, automatable, and requires no user interaction, significantly increasing the risk to unpatched systems. Organizations should assume that unpatched appliances are at high risk of compromise.
APT Groups using this vulnerability
Attribution analysis and open-source intelligence confirm that Chinese state-sponsored advanced persistent threat (APT) groups have leveraged CVE-2024-12356 in targeted attacks. The most notable incident involved the compromise of the U.S. Treasury Department, as reported by major media outlets and corroborated by threat intelligence vendors. The use of this vulnerability by APT actors underscores its strategic value for initial access, privilege escalation, and lateral movement within high-value networks.
Affected Product Versions
The following product versions are affected by CVE-2024-12356: BeyondTrust Remote Support (RS) versions up to and including 24.3.1, and BeyondTrust Privileged Remote Access (PRA) versions up to and including 24.3.1. Customers running versions older than 22.1 must upgrade to a supported version before applying the security patch.
Workaround and Mitigation
Immediate patching is the only effective mitigation. BeyondTrust has released security advisories and patches (BT24-10-ONPREM1 and BT24-10-ONPREM2) addressing this vulnerability. Customers must upgrade to the latest supported version and apply the patch without delay. The patch remediates both the command injection in the shell script and the PostgreSQL argument injection by sanitizing input and blocking malicious byte sequences. There are no viable workarounds; discontinuing use of the affected products is recommended if patching is not possible. Organizations should also monitor for indicators of compromise and review logs for evidence of exploitation.
Indicators of Compromise
The following indicators are point-in-time and should be validated before enforcement. They are extracted from public technical analyses and advisories.
Type | Indicator | Reported (date) | Source
|
Domain | attackerkb[.]com | 2025-02-13 | Rapid7 AttackerKB |
Domain | www[.]beyondtrust[.]com | 2024-12-17 | BeyondTrust Advisory |
Domain | www[.]nytimes[.]com | 2025-01-10 | NYT Treasury Hack Coverage |
URL | hxxps://attackerkb[.]com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis | 2025-02-13 | Rapid7 AttackerKB |
URL | hxxps://www[.]beyondtrust[.]com/trust-center/security-advisories/bt24-10 | 2024-12-17 | BeyondTrust Advisory |
URL | hxxps://www[.]nytimes[.]com/2025/01/10/us/politics/treasury-hack-china[.]html | 2025-01-10 | NYT Treasury Hack Coverage |
References
NVD: CVE-2024-12356, Rapid7 AttackerKB Analysis, CISA KEV Catalog, Metasploit Module, BeyondTrust Advisory, NYT Treasury Hack Coverage
Rescana is here for you
Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated risk assessment, and actionable intelligence. Our team is dedicated to helping you understand and mitigate emerging threats in your digital ecosystem. We are happy to answer questions at info@rescana.com.



