Executive Summary

A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2024-12356 [VERIFIED - NVD], has been identified and patched in BeyondTrust's flagship products: Privileged Remote Access (PRA) and Remote Support (RS) [VERIFIED - NVD]. This vulnerability enables unauthenticated attackers to execute arbitrary operating system commands as the site user, potentially resulting in full system compromise, data exfiltration, and lateral movement within affected networks [VERIFIED - NVD]. The flaw is actively exploited in the wild [VERIFIED - Multiple Sources], with confirmed targeting of U.S. government entities and critical infrastructure by advanced persistent threat (APT) groups [UNVERIFIED - source needed]. Immediate action is required to mitigate risk, as the vulnerability is cataloged in CISA’s Known Exploited Vulnerabilities (KEV) [VERIFIED - Multiple Sources] and has a CVSS score of 9.8, denoting critical severity [VERIFIED - NVD].

Technical Information

CVE-2024-12356 is a command injection vulnerability (CWE-77) [VERIFIED - NVD] affecting BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS) up to and including version 24.3.1 [VERIFIED - NVD]. The vulnerability arises from improper input validation in the products’ authentication and command-handling routines, allowing remote, unauthenticated attackers to inject and execute arbitrary operating system commands with the privileges of the site user [VERIFIED - NVD]. This attack vector is network-based, requiring no prior authentication or user interaction, which significantly increases the risk profile for exposed instances [VERIFIED - NVD].

The vulnerability is triggered by sending specially crafted requests to the affected BeyondTrust services. These requests exploit insufficient sanitization of user-supplied input, which is subsequently passed to a command interpreter. As a result, attackers can execute arbitrary shell commands, install malware, create new user accounts, exfiltrate sensitive data, or use the compromised system as a pivot point for further attacks within the organization’s network [VERIFIED - NVD].

The criticality of this vulnerability is underscored by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) [VERIFIED - NVD], indicating that exploitation is straightforward, requires no privileges, and can result in complete loss of confidentiality, integrity, and availability. The vulnerability is classified as pre-authentication, meaning that attackers do not need valid credentials to exploit it, and it can be weaponized against any internet-exposed or internally accessible vulnerable instance [VERIFIED - NVD].

BeyondTrust has released security advisory BT24-10, confirming the vulnerability and providing patched versions (24.3.2 and later) for both PRA and RS [VERIFIED - NVD]. The vendor’s advisory details the technical root cause, affected versions, and remediation steps [VERIFIED - NVD]. Security researchers and threat intelligence platforms, including Censys and Rapid7, have corroborated the technical details and highlighted the widespread exposure of vulnerable instances, particularly in the United States [VERIFIED - Multiple Sources].

Exploitation in the Wild

Exploitation of CVE-2024-12356 has been confirmed in the wild [VERIFIED - Multiple Sources]. The vulnerability was publicly disclosed on December 16, 2024 [VERIFIED - Multiple Sources], and added to the CISA KEV catalog on December 19, 2024 [VERIFIED - Multiple Sources], signaling active exploitation and significant risk to federal and private sector organizations. Multiple security news outlets, including BleepingComputer and Federal News Network, have reported incidents where unauthorized access to BeyondTrust RS SaaS instances was achieved using compromised API keys, and where Chinese state-sponsored attackers leveraged stolen BeyondTrust credentials to access unclassified U.S. Treasury Department systems [UNVERIFIED - source needed].

Censys has observed over 13,000 exposed BeyondTrust RS and PRA instances online as of January 2025, with approximately 72% geolocated in the United States [VERIFIED - Multiple Sources]. This widespread exposure amplifies the risk of mass exploitation, especially for organizations that have not yet applied the vendor’s patch.

While BeyondTrust is still investigating the full scope of these incidents, the presence of the vulnerability in actively targeted environments, combined with its inclusion in the CISA KEV catalog, confirms that exploitation is ongoing and not theoretical [VERIFIED - Multiple Sources]. Security researchers have not released public proof-of-concept (PoC) exploit code [VERIFIED - Multiple Sources], but the technical simplicity of the vulnerability and the observed attack activity suggest that exploitation is well within the capabilities of both sophisticated and opportunistic threat actors.

APT Groups using this vulnerability

Attribution of exploitation activity has been linked to Chinese state-sponsored APT groups, specifically Silk Typhoon (also known as APT41) [UNVERIFIED - source needed]. Open-source reporting and government advisories indicate that Silk Typhoon has targeted U.S. government entities, including the Treasury Department, the Committee on Foreign Investment in the United States (CFIUS), and the Office of Foreign Assets Control (OFAC), using BeyondTrust vulnerabilities as an initial access vector [UNVERIFIED - source needed].

These APT groups are known for their advanced capabilities, persistence, and focus on espionage and data theft. In the context of CVE-2024-12356, Silk Typhoon actors reportedly stole unclassified information about potential sanctions actions and other sensitive documents from compromised BeyondTrust instances [UNVERIFIED - source needed]. The group’s targeting of financial and government sectors underscores the strategic value of exploiting this vulnerability.

While the primary focus has been on U.S. government and financial services, the global customer base of BeyondTrust means that organizations in over 100 countries could be at risk if they have not remediated vulnerable deployments [VERIFIED - Multiple Sources]. The technical characteristics of the vulnerability make it attractive for both targeted and opportunistic campaigns, and the lack of authentication requirements lowers the barrier to entry for less sophisticated actors [VERIFIED - NVD].

Affected Product Versions

The following product versions are affected by CVE-2024-12356: BeyondTrust Privileged Remote Access (PRA) versions up to and including 24.3.1, and BeyondTrust Remote Support (RS) versions up to and including 24.3.1 [VERIFIED - NVD]. Any deployment, whether on-premises or SaaS, running these versions is vulnerable to remote, unauthenticated command injection and should be considered at high risk [VERIFIED - NVD].

BeyondTrust has released patched versions, with PRA and RS 24.3.2 and later addressing the vulnerability [VERIFIED - NVD]. Organizations should verify the version of their BeyondTrust deployments and prioritize immediate upgrade if running an affected release.

Workaround and Mitigation

The primary mitigation for CVE-2024-12356 is to upgrade all affected BeyondTrust PRA and RS instances to version 24.3.2 or later, as provided in the vendor’s security advisory [VERIFIED - NVD]. Patching should be performed as a matter of urgency, given the active exploitation and critical severity [VERIFIED - Multiple Sources].

If immediate patching is not feasible, organizations should consider discontinuing use of the affected products until mitigations are available [VERIFIED - Multiple Sources]. Additional risk reduction measures include restricting network access to BeyondTrust management interfaces, ensuring that only trusted internal networks can reach these services, and monitoring for indicators of compromise (IOCs) using the following queries:

For external exposure assessment, use the Censys search query:services.software: (vendor="BeyondTrust" and (product="Remote Support" or product="Privileged Remote Access")) and not labels: {tarpit, honeypot} [VERIFIED - Multiple Sources]

For internal asset management, use the ASM query:host.services.software: (vendor="BeyondTrust" and (product="Remote Support" or product="Privileged Remote Access")) and not host.labels: {tarpit, honeypot} [VERIFIED - Multiple Sources]

Organizations should also review authentication and API key usage, rotate and secure all credentials, and monitor for unauthorized access attempts [VERIFIED - Multiple Sources]. If compromise is suspected, a full forensic investigation and credential reset are recommended [VERIFIED - Multiple Sources].

References

NVD CVE-2024-12356 [VERIFIED - NVD], Censys Advisory [VERIFIED - Multiple Sources], CISA KEV Catalog [VERIFIED - Multiple Sources], BeyondTrust Security Advisory (BT24-10) [VERIFIED - NVD], BleepingComputer Article [VERIFIED - Multiple Sources], Federal News Network Article [UNVERIFIED - source needed], Rapid7 Analysis [VERIFIED - Multiple Sources], SentinelOne Vulnerability Database [VERIFIED - Multiple Sources]

Rescana is here for you

Rescana is committed to helping organizations manage and reduce third-party risk across their digital supply chain. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you identify and remediate vulnerabilities in your vendor ecosystem. We encourage all customers to review their exposure to BeyondTrust products and ensure that all instances are patched and secured. For any questions, guidance, or support, please contact us at ops@rescana.com.