Thousands of BeyondTrust Systems Remain Exposed

UPDATE

Thousands of BeyondTrust instances remain connected to the Internet, amid dire warnings that Chinese state-sponsored threat actors are actively exploiting a critical vulnerability in unpatched systems.

The BeyondTrust bug, tracked under CVE-2024-12356, has an assigned CVSS score of 9.8 and affects Privileged Remote Access (PRA) and Remote Support (RS). It was first reported by BeyondTrust on Dec. 16. Three days later, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities list. By the end of last month, a Chinese state-sponsored hacker group had used the flaw to break into the US Department of the Treasury and steal data.

New analysis from Censys has found that as the highly publicized evidence of a widespread advanced persistent threat (APT) campaign against unpatched systems swirls, there are 8,602 instances of BeyondTrust PRA and RS still connected to the Internet, 72% of which are in the US. It is unknown what portion of these open instances remain unpatched, but security teams should be checking their patching status to avoid falling victim to an attack.

The good news is that BeyondTrust says all self-hosted instances have been force-updated. And, BeyondTrust cloud customers were automatically patched Dec. 16, as soon as the vulnerability was reported.

Self-hosted deployments that can't be patched, for whatever reason, can still protect vulnerable BeyondTrust remote tools, according to John Bambenek, cybersecurity expert and president, Bambenek Consulting.

"In situations like this, even if patching cannot be done, organizations can still limit inbound connectivity to these systems to trusted IP addresses only," he says. "Organizations know who is remotely supporting them, [so] they can easily lock down those IP addresses."

This story was updated on Jan. 6, 2025 at 11 a.m. ET to reflect the fact that the exposed instances are not necessarily vulnerable to the bug.