- CISA added two bugs found in BeyondTrust products
- Both were seen in the wild in December 2024
- Federal agencies have until February 3, 2025 to patch things up
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two recently discovered BeyondTrust bugs to its catalog of known exploited vulnerabilities (KEVs).
The move means CISA found that the bugs were being exploited in the wild and therefore gave federal agencies a deadline to fix the software or stop using it altogether.
In late December 2024, BeyondTrust confirmed that it suffered a cyberattack after spotting and discovering that some of its remote support SaaS instances were compromised. A subsequent investigation revealed both of these flaws, which the company later fixed.
Attacks on the Treasury Department
The bugs are tracked as CVE-2024-12686 and CVE-2024-12356. The first is a medium severity vulnerability (score of 6.6), described as a flaw in Privileged Remote Access (PRA) and Remote Support (RS) that allows malicious actors with existing administrator privileges to inject commands and run as a site user. The latter is a critical vulnerability that can allow an unauthenticated attacker to inject commands executed as a site user. It received a severity score of 9.8 (critical).
CVE-2024-12356 was added to KEV on December 19, while CVE-2024-12686 was added on January 13. This means that users had until January 9 to fix the first flaw and until February 3, 2025 to fix the second flaw.
This news comes after the US Treasury Department was hit by a cyberattack in early January 2025, in which the attackers, believed to be Silk Typhoon, a notorious cyberespionage group believed to be in the pay of the Chinese government, used an API key Stolen remote support SaaS. to compromise a BeyondTrust instance.
Silk Typhoon is perhaps best known for targeting some 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
Silk Typhoon is part of a larger network of “Typhoon” groups: Volt Typhoon, Salt Typhoon, Flax Typhoon and Brass Typhoon. Salt Typhoon has recently been linked to a number of high-profile breaches, including at least four major US telecommunications carriers.
Via BeepComputer
