BeyondTrust Patches Critical Vulnerability Discovered During Security Incident Probe

BeyondTrust has released patches for a critical-severity vulnerability in its Privileged Remote Access (PRA) and Remote Support (RS) products that could be exploited to execute arbitrary commands. The flaw was discovered during an investigation into a security incident impacting some customers.

BeyondTrust’s PRA provides management of privileged user accounts facilitating just-in-time secure access to enterprise environments, while RS enables authorized individuals to securely connect to remote systems and mobile devices.

Tracked as CVE-2024-12356 (CVSS score of 9.8), the security defect is described as an unauthenticated command injection bug that can be exploited using crafted client requests.

“Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user,” BeyondTrust notes in its advisory.

The issue impacts PRA and RS versions 24.3.1 and earlier. BeyondTrust has released a patch for all supported iterations of PRA ...