The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability in question is CVE-2024-12686 (CVSS score: 6.6), a medium-severity bug that could allow an attacker with existing administrative privileges to inject commands and run as a site user.
“BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file,” CISA said.
“Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.”
The addition of CVE-2024-12686 to the KEV catalog comes nearly a month after it added another critical security flaw impacting the same product (CVE-2024-12356, CVSS score: 9.8) that could also lead to the execution of arbitrary commands.
BeyondTrust said both vulnerabilities were discovered as part of its investigation into a cyber incident in early December 2024 that involved malicious actors leveraging a compromised Remote Support SaaS API key to breach some of the instances, and reset passwords for local application accounts.
Although the API key has since been revoked, the exact manner in which the key was compromised remains unknown as yet. It’s suspected that the threat actors exploited the two flaws as zero-days to break into BeyondTrust systems.
Earlier this month, the U.S. Treasury Department revealed its network was breached using the compromised API key in what it said was a “major cybersecurity incident.” The hack has been pinned on a Chinese state-sponsored group called Silk Typhoon (aka Hafnium).
The threat actors are believed to have specifically targeted the Treasury’s Office of Foreign Assets Control (OFAC), Office of Financial Research, and the Committee on Foreign Investment in the United States (CFIUS), according to multiple reports from the Washington Post and CNN.
Also added to the KEV catalog is a now-patched critical security vulnerability affecting Qlik Sense (CVE-2023-48365, CVSS score: 9.9) that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
It’s worth noting that the security flaw has been actively exploited in the past by the Cactus ransomware group. Federal agencies are required to apply the necessary patches by February 3, 2024, to secure their networks against active threats.
