CVE-2024-12686
Published: 18 December 2024
Summary
CVE-2024-12686 is a medium-severity OS Command Injection (CWE-78) vulnerability in Beyondtrust Privileged Remote Access. Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12686 is a command injection vulnerability, tracked under CWE-78, that affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). It carries a CVSS 3.1 score of 6.6 and permits an attacker to inject and execute operating system commands that run in the context of a site user.
An attacker must already possess administrative privileges on the affected system and can leverage the flaw over the network, albeit with high attack complexity, to achieve high impact on confidentiality, integrity, and availability. The requirement for existing high privileges limits the initial attack surface but enables full command execution once administrative access is obtained.
BeyondTrust has published advisory BT24-11, and the issue appears in CISA's known exploited vulnerabilities catalog, indicating that mitigation guidance and patches are available through those sources.
The EPSS score reached a peak of 0.3997 with a current value of 0.3153, and the presence in the CISA catalog confirms observed exploitation activity in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51049
Vulnerability details
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.
- CWE(s)
- KEV Date Added
- 13 January 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the crafted input that enables command injection (CWE-78) before execution occurs.
Limits the commands an authenticated administrator can successfully execute under the site-user context.
Requires prompt application of the vendor patch referenced in BT24-11 to eliminate the injection flaw.