CVE-2024-12356: 
BeyondTrust Privileged Remote Access Client vulnerability analysis and mitigation

CVE-2024-12356 is a critical vulnerability discovered in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products versions 24.3.1 and earlier. The vulnerability was disclosed on December 16, 2024, and was assigned a CVSS score of 9.8 (Critical). This security flaw allows an unauthenticated attacker to inject commands that are run as a site user (Censys, NVD).

The vulnerability is classified as a Command Injection vulnerability (CWE-77) with a CVSS v3.1 base score of 9.8, indicating Critical severity. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

As of January 6, 2025, approximately 13,548 exposed BeyondTrust Remote Support & Privileged Remote Access instances were observed online. About 72% of these instances are located in the United States. The vulnerability allows attackers to execute underlying operating system commands within the context of the site user, potentially leading to unauthorized system access and control (Censys).

BeyondTrust has released a patch to address this vulnerability for all supported releases of RS & PRA 22.1.x and higher. CISA has set a remediation deadline of December 27, 2024, for federal agencies to apply the vendor-provided fixes or discontinue product use if mitigations are unavailable (CISA).