BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356)

BeyondTrust has fixed an unauthenticated command injection vulnerability (CVE-2024-12356) in its Privileged Remote Access (PRA) and Remote Support (RS) products that may allow remote code execution, and is urging organizations with on-premise installations to test the patch and implement it quickly.

About CVE-2024-12356

BeyondTrust Privileged Remote Access is an enterprise solution that mediates secure remote access to enterprise environments for employees and trusted vendors. BeyondTrust Remote Support allows organizations’ IT helpdesk personnel to securely connect to and provide support for remote systems.

CVE-2024-12356 is a command injection vulnerability stemming from the improper neutralization of special elements used in commands. It can be triggered via a malicious client request, and may allow unauthenticated remote attackers to execute underlying operating system commands within the context of the site user.

No privileges and no user interaction is required for a successful exploitation, and the complexity of the attack is deemed to be “low”.

BeyondTrust has confirmed that the vulnerability affects all versions of the two software solutions, up until and including v24.3.1.

“A patch has been applied to all RS/PRA cloud customers as of December 16, 2024 that remediates this vulnerability,” the company said.

“On-premise customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates in their /appliance interface. If customers are on a version older than 22.1, they will need to upgrade in order to apply this patch.”

No alternative mitigations or workarounds are available.