Customers of BeyondTrust experiencing a swell of assaults, presumably caused by breached API keys.
In late 2024, a significant security incident unfolded, involving Chinese state-sponsored attackers exploiting a critical command injection vulnerability, CVE-2024-12356, in BeyondTrust's Remote Support SaaS and Privileged Remote Access products. This vulnerability, with a CVSS score of 9.8, was disclosed on December 23, 2024, and was quickly followed by patching efforts by BeyondTrust.
The vulnerability was initially discovered on December 2, with anomalous activity detected on one customer instance of Remote Support SaaS. Three days later, BeyondTrust determined that multiple customers were impacted. The company promptly notified these customers and continues to share updates as the investigation progresses.
The exploitation of CVE-2024-12356 was notable, as it allowed attackers to gain unauthorized access to systems, including those within the U.S. Treasury Department. BeyondTrust, however, has not acknowledged a direct link between the attacks and the actively exploited critical CVE.
Regarding patching, BeyondTrust addressed this vulnerability as part of their response to the incident. While cloud customers were patched proactively, on-premise deployments required manual updates to mitigate the risk. This patching and remediation effort happened before June 2025.
The Cybersecurity and Infrastructure Security Agency added CVE-2024-12356 to its known exploited vulnerabilities catalog on Thursday. No further information about the impacted customers has been disclosed by BeyondTrust.
It's worth noting that no BeyondTrust products outside of Remote Support SaaS were found to be impacted. The affected instances were suspended, and the compromised API key was revoked. BeyondTrust had approximately 20,000 customers across its product portfolio earlier this year, with 75 of the Fortune 100 among them.
An ongoing investigation into the attacks is being conducted by BeyondTrust and a third-party cybersecurity and forensics firm. The attacker compromised a Remote Support SaaS API key and reset passwords of multiple accounts.
In summary, the disclosure and patch timeline for CVE-2024-12356 is firmly placed in late December 2024 for disclosure and patching initiated soon thereafter, continuing into early 2025. The incident serves as a reminder for organisations to keep their systems updated and vigilant against potential threats.
- The cybersecurity incident in late 2024, involving the exploitation of a critical command injection vulnerability, CVE-2024-12356, in BeyondTrust's Remote Support SaaS and Privileged Remote Access products, exposed the vulnerability of data-and-cloud-computing systems to general-news cybersecurity threats.
- The exploitation of CVE-2024-12356 allowed attackers to infiltrate systems, even reaching those within the U.S. Treasury Department, underscoring the severe implications of unpatched vulnerabilities in technology infrastructure and the potential for crime-and-justice consequences.
- In the aftermath of the cybersecurity incident, BeyondTrust took steps to mitigate the risks by addressing the vulnerability as part of their response and providing updates to their cloud customers proactively. However, on-premise deployments required manual updates, with the remediation effort lasting until June 2025, highlighting the importance of prompt and continuous technology maintenance.
