What is BeyondTrust Privileged Remote Access?
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) are enterprise privileged access management (PAM) and remote support platforms used by IT and security teams to securely manage privileged access to systems and provide vendor/contractor remote support. PRA and RS are trusted by large enterprises and government agencies — including the US Treasury — because they provide controlled, audited access to critical systems. A BeyondTrust PRA/RS system has privileged access to all systems it manages: it can be used to connect to servers, workstations, and network devices as an administrator. Compromising the PRA/RS platform gives an attacker a pivot point into every system it manages.
Overview
CVE-2024-12356 is a command injection vulnerability (CWE-77) in BeyondTrust Privileged Remote Access and Remote Support. An unauthenticated remote attacker can inject commands via the web interface that execute on the underlying server. This was exploited as a zero-day by a Chinese state-sponsored threat actor (linked to Silk Typhoon/APT41) in December 2024, resulting in the compromise of US Treasury Department workstations and classified data access. BeyondTrust detected the compromise on December 2, 2024, notified the US Treasury on December 8, and published the CVE and patches on December 17. CISA added it to the KEV catalog 2 days later with an 8-day deadline — one of the shortest in KEV history.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| BeyondTrust PRA | ≤ 24.3.1 | 24.3.2 or later |
| BeyondTrust RS | ≤ 24.3.1 | 24.3.2 or later |
Cloud-hosted (BeyondTrust-managed) instances were patched directly by BeyondTrust before CVE publication. On-premises customers required manual patching.
Technical Details
The command injection (CWE-77) is in BeyondTrust PRA/RS's web-based interface — specifically in a component that processes requests from remote support sessions or the management API. Attacker-controlled input is incorporated into an operating system command execution call without adequate sanitization, allowing the injection of additional shell commands.
No authentication required: The vulnerable endpoint can be reached by unauthenticated users, making this a critical pre-authentication RCE vulnerability in a privileged access management system.
Exploitation impact on a PAM platform:
- Lateral movement pivot: PRA/RS stores credentials and session keys for all managed systems; compromising the server exposes these credentials
- Privileged session hijacking: Active privileged sessions through the PRA/RS platform can potentially be intercepted or redirected
- Trust chain compromise: IT teams and vendors trust PRA/RS sessions — a compromised PRA/RS server can be used to deliver malicious sessions disguised as legitimate remote support
US Treasury breach context: The threat actor used the compromised BeyondTrust API key (obtained from cloud-hosted BeyondTrust infrastructure) to access Treasury workstations, override the remote support tool's security, and access unclassified documents. The Treasury classified this as a "major cybersecurity incident."
Discovery
BeyondTrust's security team detected anomalous activity in their cloud infrastructure on December 2, 2024, during investigation of an unrelated API key compromise. The CVE-2024-12356 vulnerability was identified as part of this investigation.
Exploitation Context
A Chinese state-sponsored threat actor (attributed to Silk Typhoon, previously known as Hafnium) exploited CVE-2024-12356 in December 2024. The US Treasury acknowledged the breach in a letter to Congress dated December 30, 2024. CISA's 8-day remediation deadline reflects the extreme urgency of a PAM system vulnerability that had already been exploited against a US government agency.
Remediation
- Apply BeyondTrust patches to upgrade PRA and RS to 24.3.2 or later immediately. The CISA deadline was December 27, 2024.
- For cloud-hosted BeyondTrust customers: confirm with BeyondTrust that your instance has been patched — BeyondTrust patched cloud instances before CVE publication.
- Revoke and rotate all BeyondTrust API keys — the initial US Treasury compromise involved a compromised API key that enabled further exploitation.
- Audit all privileged sessions conducted through PRA/RS during December 2024 for unauthorized access.
- Review all systems managed by BeyondTrust PRA/RS for signs of lateral movement or unauthorized administrative actions.
- Rotate credentials for all systems accessible via BeyondTrust PRA/RS — treat all managed system credentials as potentially compromised.
- Enable enhanced logging and alerting on the BeyondTrust platform for anomalous session initiation or API key usage.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-12356 |
| Vendor / Product | BeyondTrust — Privileged Remote Access (PRA) and Remote Support (RS) |
| NVD Published | 2024-12-17 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-77 find similar ↗ |
| CISA KEV Added | 2024-12-19 |
| CISA KEV Deadline | 2024-12-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-12-02 | BeyondTrust detects anomalous activity; later determined to be exploitation of CVE-2024-12356 |
| 2024-12-08 | BeyondTrust notifies US Treasury of compromise affecting Treasury workstations |
| 2024-12-17 | CVE-2024-12356 published; BeyondTrust releases patches |
| 2024-12-19 | CISA adds to KEV with 8-day deadline |
| 2024-12-27 | CISA BOD 22-01 remediation deadline (8 days — emergency pace) |
References
| Resource | Type |
|---|---|
| BeyondTrust Security Advisory BT24-10 | Vendor Advisory |
| NVD — CVE-2024-12356 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| US Treasury — Statement on Chinese State-Sponsored Cyber Breach | US Government |