Cyber Resilience

CVE-2024-12686

MediumCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 18 December 2024

Published
18 December 2024
Modified
24 October 2025
KEV Added
13 January 2025
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3153 96.9th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12686 is a medium-severity OS Command Injection (CWE-78) vulnerability in Beyondtrust Privileged Remote Access. Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-12686 is a command injection vulnerability, tracked under CWE-78, that affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). It carries a CVSS 3.1 score of 6.6 and permits an attacker to inject and execute operating system commands that run in the context of a site user.

An attacker must already possess administrative privileges on the affected system and can leverage the flaw over the network, albeit with high attack complexity, to achieve high impact on confidentiality, integrity, and availability. The requirement for existing high privileges limits the initial attack surface but enables full command execution once administrative access is obtained.

BeyondTrust has published advisory BT24-11, and the issue appears in CISA's known exploited vulnerabilities catalog, indicating that mitigation guidance and patches are available through those sources.

The EPSS score reached a peak of 0.3997 with a current value of 0.3153, and the presence in the CISA catalog confirms observed exploitation activity in the wild.

EU & UK References

Vulnerability details

A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.

CWE(s)
KEV Date Added
13 January 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

beyondtrust
privileged remote access
≤ 24.3.1
beyondtrust
remote support
≤ 24.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted input that enables command injection (CWE-78) before execution occurs.

prevent

Limits the commands an authenticated administrator can successfully execute under the site-user context.

prevent

Requires prompt application of the vendor patch referenced in BT24-11 to eliminate the injection flaw.

References