CISA warns second BeyondTrust vulnerability also exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has added to its catalog of known exploited vulnerabilities a second vulnerability by BeyondTrust, which was patched in December. The flaw is different than the one that was used to compromise US Treasury workstations last month.

At the end of December, the US Department of the Treasury disclosed that state-sponsored Chinese attackers had managed to access some of its workstations and obtained unclassified information. The attackers reportedly targeted Treasury offices that review foreign investments for national security risks, issue sanctions involving foreign assets and are responsible for financial research.

The Treasury said the access occurred through a cloud-based remote support service operated by BeyondTrust. The vendor then confirmed that an API key for its Remote Support SaaS service was compromised and starting on 2 December was used to reset the passwords for local application accounts and access the instances of a limited number of customers.

Other vulnerabilities identified in further investigation

As part of the subsequent forensics investigation, BeyondTrust identified two vulnerabilities that impacted both the cloud-hosted and self-hosted deployments of its Remote Support (RS) and Privileged Remote Access (PRA) products.

One of the vulnerabilities, CVE-2024-12356, was rated critical with a 9.8 CVSS score and allowed unauthenticated attackers to inject commands that are executed as a site user.  The second vulnerability, tracked as CVE-2024-12686, is also a command injection flaw but was rated with medium severity because attackers would need to have administrator privileges to upload malicious files and exploit it.

BeyondTrust patched both issues in the cloud version of its services and pushed the updates to self-hosted instances on 16 December. Users who had automatic updates disabled were advised to apply the patches manually.

CISA added the critical flaw, CVE-2024-12356, to its Known Exploited Vulnerabilities (KEV) catalog on 19 December, an action that indicated the agency had information it had been exploited in the wild. This led some to believe it was probably the flaw exploited in the attack that led to the compromise of workstations at the US Treasury.

Second flaw also exploited in the wild

However, on Monday, CISA added the second medium-risk vulnerability, CVE-2024-12686, to KEV as well. It’s not clear if this was exploited as part of the same attacks or new ones after the BeyondTrust disclosure. As per CISA’s mandate, government agencies have until 3 February to identify if they have vulnerable deployments and make sure the patches are applied.

Last week, in an update on its investigation into the Treasury breach, CISA said it didn’t have any indication that other government agencies had been impacted in the attack.