[Solved] CVE-2024-12686 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
Introduction
Cybersecurity vulnerabilities are an ever-present threat, and one of the latest to make headlines is CVE-2024-12686. This command injection vulnerability was identified in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. Exploitation of this vulnerability allows attackers with administrative privileges to upload malicious files, potentially executing operating system commands with the privileges of the site user.
As this vulnerability is actively exploited, it has been added to the CISA Known Exploited Vulnerabilities Catalog. In this blog, we provide a comprehensive overview, including its discovery timeline, the systems affected, remediation steps, and recommended actions.
Discovery Timeline
CVE-2024-12686 was identified and disclosed by BeyondTrust in a security advisory labeled BT24-11. The advisory outlined the nature of the vulnerability, its impact, and the versions of PRA and RS that are affected. BeyondTrust promptly provided patches to mitigate the issue, underscoring the importance of swift action by organizations using their solutions.
Key Milestones
- Vulnerability Identification: BeyondTrust disclosed the issue as part of their advisory BT24-11. It was determined that attackers with administrative privileges could exploit this command injection flaw to compromise systems.
- CISA Inclusion: On January 13, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-12686 to its Known Exploited Vulnerabilities Catalog, confirming that the vulnerability is being actively exploited in the wild. CISA set a remediation deadline of February 3, 2025, for federal agencies to address the issue.
Vulnerable Versions
The affected versions of BeyondTrust’s solutions are as follows:
- Privileged Remote Access (PRA): All versions up to and including 24.3.1 are vulnerable.
- Remote Support (RS): All versions up to and including 24.3.1 are vulnerable.
These versions contain the command injection vulnerability, making them susceptible to exploitation if not patched promptly.
Why This Matters
Organizations using these solutions often rely on them to manage and secure privileged access to critical systems. Exploitation of this vulnerability can have significant consequences, including unauthorized access, data exfiltration, and disruption of services.
Fix Versions and Solutions
To address CVE-2024-12686, BeyondTrust has released a series of patches under the BT24-11 advisory. These patches are tailored to specific versions of PRA and RS and must be applied based on the deployed version of the software.
Patches for PRA
Patch Name | Applicable PRA Version |
BT24-11-ONPREM1 | Dependent on PRA version |
BT24-11-ONPREM2 | Dependent on PRA version |
BT24-11-ONPREM3 | Dependent on PRA version |
BT24-11-ONPREM4 | Dependent on PRA version |
BT24-11-ONPREM5 | Dependent on PRA version |
BT24-11-ONPREM6 | Dependent on PRA version |
BT24-11-ONPREM7 | Dependent on PRA version |
Patches for RS
Patch Name | Applicable RS Version |
BT24-11-ONPREM1 | Dependent on RS version |
BT24-11-ONPREM2 | Dependent on RS version |
BT24-11-ONPREM3 | Dependent on RS version |
BT24-11-ONPREM4 | Dependent on RS version |
BT24-11-ONPREM5 | Dependent on RS version |
BT24-11-ONPREM6 | Dependent on RS version |
BT24-11-ONPREM7 | Dependent on RS version |
Applying the Fix
1. Identify Your Current Version: Determine the version of PRA or RS deployed in your environment.
2. Select the Correct Patch: Choose the patch from the BT24-11 series that corresponds to your version.
3. Follow BeyondTrust’s Instructions: Apply the patch according to the official guidance provided in the BT24-11 advisory.
4. Verify the Update: Confirm that the patch has been successfully applied by checking the updated version number and testing the system for functionality.
________________________________________
Recommended Actions
To protect your organization from exploitation, it is critical to take the following steps:
1. Patch Immediately
Apply the patches provided in the BT24-11 advisory as soon as possible. Delays in patching increase the risk of exploitation, especially given the active status of this vulnerability.
2. Restrict Administrative Access
• Limit the number of users with administrative privileges.
• Enforce strong password policies and multi-factor authentication (MFA) for all administrative accounts.
3. Monitor for Indicators of Compromise (IoCs)
• Enable logging and monitoring to detect unusual activity, such as unexpected file uploads or command execution.
• Regularly review system logs for signs of exploitation.
4. Implement Network Segmentation
• Restrict access to PRA and RS environments using firewalls and access control lists.
• Limit exposure to trusted IP addresses only.
5. Backup and Recovery
• Ensure regular backups of critical systems and data.
• Test recovery procedures to verify that backups are reliable and complete.
6. Stay Informed
• Monitor updates from BeyondTrust and CISA regarding this vulnerability.
• Subscribe to relevant advisories and alerts to stay ahead of potential threats.
________________________________________
Closing Summary
The discovery of CVE-2024-12686 highlights the importance of proactive vulnerability management and patching. With the inclusion of this vulnerability in the CISA Known Exploited Vulnerabilities Catalog, it is clear that attackers are actively targeting unpatched systems. Organizations using BeyondTrust’s Privileged Remote Access and Remote Support solutions must act swiftly to mitigate this risk.
By applying the patches detailed in the BT24-11 advisory and following best practices for system security, organizations can protect themselves from exploitation and ensure the integrity of their critical systems. The stakes are high, but with prompt action, this vulnerability can be effectively mitigated.
For more information, refer to BeyondTrust’s official advisory and CISA’s Known Exploited Vulnerabilities Catalog.