Cyber Resilience

CVE-2024-12356

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 17 December 2024

Published
17 December 2024
Modified
24 October 2025
KEV Added
19 December 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9386 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12356 is a critical-severity Command Injection (CWE-77) vulnerability in Beyondtrust Privileged Remote Access. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A critical command injection vulnerability, tracked as CVE-2024-12356 and assigned CWE-77, affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. The flaw permits an unauthenticated attacker to inject and execute commands that run with the privileges of a site user, carrying a CVSS 3.1 score of 9.8 that reflects network-accessible exploitation without credentials or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the weakness over the network to run arbitrary commands as a site user, enabling complete compromise of the affected system and any data or resources accessible to that account.

The BeyondTrust security advisory BT24-10 and the CISA Known Exploited Vulnerabilities catalog both address the issue, confirming active exploitation in the wild. The associated EPSS score stands at 0.9386 with an identical peak value, indicating sustained high exploitation interest since disclosure.

EU & UK References

Vulnerability details

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

CWE(s)
KEV Date Added
19 December 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

beyondtrust
privileged remote access
≤ 24.3.1
beyondtrust
remote support
≤ 24.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the command injection (CWE-77) by validating all inputs before they reach the command execution path in the PRA/RS interface.

prevent

Enforces authentication and authorization checks so that unauthenticated remote actors cannot reach or invoke commands on the affected components.

prevent

Limits the privileges of the site user context, reducing the blast radius if an injected command is executed despite other controls.

References