CISA tells agencies to patch BeyondTrust bug now

News
By published

Two BeyondTrust bugs have made it into CISA's KEV

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
(Image credit: Shutterstock / JLStock)
  • CISA added two bugs found in BeyondTrust products
  • Both were seen in the wild in December 2024
  • Federal agencies have until February 3, 2025 to patch up

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two recently-discovered BeyondTrust bugs to its Known Exploited Vulnerabilities (KEV) catalog.

The move means CISA has seen evidence of the bugs being exploited in the wild, and has thus given federal agencies a deadline to patch the software or stop using it entirely.

In late December 2024, BeyondTrust confirmed suffering a cyberattack after spotting and uncovering some of its Remote Support SaaS instances were compromised. Subsequent investigation uncovered these two flaws, which the company later patched.

Attacks on the Treasury Department

The bugs are tracked as CVE-2024-12686, and CVE-2024-12356. The former is a medium-severity vulnerability (6.6 score), described as a flaw in Privileged Remote Access (PRA) and Remote Support (RS) that allows malicious actors with existing admin privileges to inject commands and run as a site user. The latter is a critical vulnerability which can allow an unauthenticated attacker to inject commands that are run as a site user. It was given a 9.8 severity score (critical).

CVE-2024-12356 was added to KEV on December 19, while CVE-2024-12686 on January 13. That means that users had until January 9 to address the first, and have until February 3, 2025, to address the second flaw.

The news comes after the US Treasury Department was hit by a cyberattack in early January 2025 where the attackers, thought to be Silk Typhoon, a notorious cyber-espionage group allegedly on the payroll of the Chinese government, used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance.

Silk Typhoon is perhaps best known for targeting some 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.

Silk Typhoon is a part of a wider network of “Typhoon” groups - Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon. Salt Typhoon was recently linked to a number of high-profile breaches, including at least four major US telecom operators.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
malware
US government warns federal agencies to patch dangerous Windows kernel bug
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
An abstract image of padlocks overlaying a digital background.
BeyondTrust says hackers hit its remote support products
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
A close-up of an interent search bar with 'http://ww' visible
US government warns this popular CMS software has a worrying security flaw
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
More about security
A hand holding an iPhone with the iCloud logo on screen.

"I have nothing to hide" - our readers react to Apple getting secret hearing in appeal against UK government
Best email services: image of email with one unread message alert

Over 400 million unwanted and malicious emails were received by businesses in 2024
Gachapon Capsure Station

Somewhere in Japan is a dispenser where you can buy toy rack servers complete with cute Dell PowerEdge 2U servers
See more latest
Most Popular
Gachapon Capsure Station
Somewhere in Japan is a dispenser where you can buy toy rack servers complete with cute Dell PowerEdge 2U servers
An angry Mark Grayson flying towards the camera in Invincible season 3 episode 7
Invincible season 4: everything we know so far about the hit Prime Video show's next chapter
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
A hand holding an iPhone with the iCloud logo on screen.
"I have nothing to hide" - our readers react to Apple getting secret hearing in appeal against UK government
A person holding a phone looking at a scam text with warning signs around
A massive SMS toll fee scam is sweeping the US – here’s how to stay safe, according to the FBI
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
The X logo next to a silhouette of Elon Musk
Who was really behind the massive X cyberattack? Here’s what experts say about Elon Musk’s claims
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
A hand reaching out to touch a futuristic rendering of an AI processor.
Researchers want to embrace Arm's celebrated paradigm for a universal generative AI processor; a puzzling MEGA.mini core architecture
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today