The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a second vulnerability to their Known Exploited Vulnerabilities (KEV) catalog, impacting products from Beyondtrust, specifically Privileged Remote Access (Pra) and Remote Support (RS). This addition comes in light of confirmed attacker activity.
Known as cve-2024-12686, with a CVSS assessment of 7.2, this vulnerability enables a hacker with administrative rights to carry out commands on behalf of a user. CISA has warned that cybercriminals can exploit this flaw to download malicious files and execute commands on the affected system.
The inclusion of CVE-2024-12686 in the catalog comes just a month after another critical vulnerability, cve- 2024-12356 (CVSS: 9.8), was added for the same product, allowing for the execution of arbitrary commands.
Beyondtrust has confirmed that both vulnerabilities were discovered in December 2024. Following the discovery, attackers exploited a compromised Remote Support API key to access company systems and change local account passwords. Despite revoking the key, the exact details of the compromise remain unclear, with a suspicion that the threats were initiated through zero-day vulnerabilities.
In early January, the US Department of the Treasury disclosed that their network had been breached via the same API key. The cyberattack has been linked to the Chinese hacking group Silk Typhoon (Hafnium), targeting entities such as the Office of Foreign Assets Control (OFAC), financial research management, and the Committee on Foreign Investment in the United States (CFIUS).