- CISA added two bugs found in BeyondTrust products
- Both were seen in the wild in December 2024.
- Federal agencies have until February 3, 2025 to fix things
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two recently discovered BeyondTrust bugs to its catalog of known exploited vulnerabilities (KEV).
The move means that CISA has seen evidence that the bugs are being exploited in the wild and has therefore given federal agencies a deadline to patch the software or stop using it entirely.
In late December 2024, BeyondTrust confirmed to have suffered a cyberattack after detecting and discovering that some of its remote support SaaS instances were compromised. A subsequent investigation uncovered these two defects, which the company later fixed.
Attacks on the Treasury Department
The bugs are tracked as CVE-2024-12686 and CVE-2024-12356. The first is a medium severity vulnerability (score of 6.6), described as a flaw in Privileged Remote Access (PRA) and Remote Support (RS) that allows malicious actors with existing administrator privileges to inject commands and execute them as site users. The latter is a critical vulnerability that could allow an unauthenticated attacker to inject commands that are executed as a user of the site. It was given a severity score of 9.8 (critical).
CVE-2024-12356 was added to KEV on December 19, while CVE-2024-12686 was added on January 13. That means users had until January 9 to fix the first and until February 3, 2025 to fix the second defect.
The news comes after the US Treasury Department suffered a cyberattack in early January 2025 in which the attackers, believed to be Silk Typhoon, a notorious cyber espionage group allegedly on the payroll of the Chinese government, used a stolen remote support SaaS API key. to compromise a BeyondTrust instance.
Silk Typhoon is perhaps best known for targeting some 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
Silk Typhoon is part of a larger network of “Typhoon” groups: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon. Salt Typhoon was recently linked to a number of high-profile breaches, including at least four major US telecom operators.
Through beepcomputer
