Thousands of BeyondTrust Systems Remain Exposed

UPDATE
Thousands of BeyondTrust instances remain connected to the Internet, amid dire warnings that Chinese state-sponsored threat actors are actively exploiting a critical vulnerability in unpatched systems.
The BeyondTrust bug, tracked under CVE-2024-12356, has an assigned CVSS score of 9.8 and affects Privileged Remote Access (PRA) and Remote Support (RS). It was first reported by BeyondTrust on Dec. 16. Three days later, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities list. By the end of last month, a Chinese state-sponsored hacker group had used the flaw to break into the US Department of the Treasury and steal data.
New analysis from Censys has found that as the highly publicized evidence of a widespread advanced persistent threat (APT) campaign against unpatched systems swirls, there are 8,602 instances of BeyondTrust PRA and RS still connected to the Internet, 72% of which are in the US. It is unknown what portion of these open instances remain unpatched, but security teams should be checking their patching status to avoid falling victim to an attack.
The good news is that BeyondTrust says all self-hosted instances have been force-updated. And, BeyondTrust cloud customers were automatically patched Dec. 16, as soon as the vulnerability was reported.
Self-hosted deployments that can't be patched, for whatever reason, can still protect vulnerable BeyondTrust remote tools, according to John Bambenek, cybersecurity expert and president, Bambenek Consulting.
"In situations like this, even if patching cannot be done, organizations can still limit inbound connectivity to these systems to trusted IP addresses only," he says. "Organizations know who is remotely supporting them, [so] they can easily lock down those IP addresses."
This story was updated on Jan. 6, 2025 at 11 a.m. ET to reflect the fact that the exposed instances are not necessarily vulnerable to the bug.
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner