CISA tells agencies to patch the BeyondTrust bug now
- CISA has added two bugs found in BeyondTrust products
- Both were spotted in the wild in December 2024
- Federal agencies have until February 3, 2025 to resolve the issues
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two recently discovered BeyondTrust bugs to its Known Exploited Vulnerabilities (KEV) catalog.
The move means that CISA has seen evidence that the bugs are being exploited in the wild, and so has given federal agencies a deadline to patch the software or stop using it completely.
In late December 2024, BeyondTrust confirmed that it had suffered a cyberattack after discovering and discovering that a number of its Remote Support SaaS instances had been compromised. Subsequent investigation revealed these two deficiencies, which the company later corrected.
Attacks on the Ministry of Finance
The bugs are tracked as CVE-2024-12686 and CVE-2024-12356. The first is a medium severity vulnerability (6.6 score), described as a flaw in Privileged Remote Access (PRA) and Remote Support (RS) that allows malicious actors with existing administrative rights to inject and execute commands as a site user. The latter is a critical vulnerability that allows an unauthenticated attacker to inject commands executed as a site user. It received a severity score of 9.8 (critical).
CVE-2024-12356 was added to KEV on December 19, while CVE-2024-12686 was added on January 13. That means users had until January 9 to address the first issue, and until February 3, 2025 to address the second issue.
The news comes after the US Treasury Department was hit by a cyber attack in early January 2025 in which the attackers, believed to be Silk Typhoon, a notorious cyber espionage group reportedly on the Chinese government payroll, used a stolen Remote Support SaaS API key. to compromise a BeyondTrust instance.
Silk Typhoon is perhaps best known for targeting around 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
Silk Typhoon is part of a broader network of “Typhoon” groups: Volt Typhoon, Salt Typhoon, Flax Typhoon and Brass Typhoon. Salt Typhoon was recently linked to a number of high-profile breaches, including at least four major US telecom operators.
Via BleepingComputer