CVE-2024-12356
Published: 17 December 2024
Summary
CVE-2024-12356 is a critical-severity Command Injection (CWE-77) vulnerability in Beyondtrust Privileged Remote Access. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A critical command injection vulnerability, tracked as CVE-2024-12356 and assigned CWE-77, affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. The flaw permits an unauthenticated attacker to inject and execute commands that run with the privileges of a site user, carrying a CVSS 3.1 score of 9.8 that reflects network-accessible exploitation without credentials or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can exploit the weakness over the network to run arbitrary commands as a site user, enabling complete compromise of the affected system and any data or resources accessible to that account.
The BeyondTrust security advisory BT24-10 and the CISA Known Exploited Vulnerabilities catalog both address the issue, confirming active exploitation in the wild. The associated EPSS score stands at 0.9386 with an identical peak value, indicating sustained high exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50801
Vulnerability details
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
- CWE(s)
- KEV Date Added
- 19 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the command injection (CWE-77) by validating all inputs before they reach the command execution path in the PRA/RS interface.
Enforces authentication and authorization checks so that unauthenticated remote actors cannot reach or invoke commands on the affected components.
Limits the privileges of the site user context, reducing the blast radius if an injected command is executed despite other controls.