CISA orders agencies to patch BeyondTrust bug exploited in attacks
CISA has tagged a command injection vulnerability (CVE-2024-12686) in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks.
As mandated by the Binding Operational Directive (BOD) 22-01, after being added to CISA's Known Exploited Vulnerabilities catalog, U.S. federal agencies must secure their networks against ongoing attacks targeting the flaw within three weeks by February 3.
On December 19, the U.S. cybersecurity agency also added a critical command injection security bug (CVE-2024-12356) in the same BeyondTrust software products.
BeyondTrust found both vulnerabilities while investigating the breach of some of its Remote Support SaaS instances in early December. The attackers stole an API key, which they later used to reset passwords for local application accounts.
While BeyondTrust's December disclosure didn't explicitly mention it, the threat actors likely leveraged the two flaws as zero days to hack into BeyondTrust systems to reach its customers.
In early January, the Treasury Department disclosed that its network was breached by attackers who used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance used by the agency.
Since then, the attack has been linked to Chinese state-backed hackers known as Silk Typhoon. This cyber-espionage group, known for reconnaissance and data theft attacks, became widely known after compromising an estimated 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
The threat actors specifically targeted the Office of Foreign Assets Control (OFAC), which administers trade and economic sanctions programs, and the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks.
They also hacked into the Treasury's Office of Financial Research systems, but the impact of this incident is still being assessed. Silk Typhoon is believed to have used the stolen BeyondTrust digital key to access "unclassified information relating to potential sanctions actions and other documents."
BeyondTrust says it applied security patches for the CVE-2024-12686 and CVE-2024-12356 flaws on all cloud instances. However, those running self-hosted instances must deploy the patches manually.
The company has yet to mark the two security vulnerabilities as actively exploited in security advisories issued last month.
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
