cbcvebase.
CVE-2024-12356
published 2024-12-17

CVE-2024-12356: A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-12-27
Exploited in the wild
EPSS
87.99%
99.7th percentile
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

Affected

2 ranges
VendorProductVersion rangeFixed in
beyondtrustprivileged_remote_access<= 24.3.1
beyondtrustremote_support<= 24.3.1

Detection & IOCsextracted from sources · hover to see the quote

path/nw
path/nw WebSocket path
port443
filenameaws.php
filenamefile_save.php
filenameblue.drx
commanda[$(cmd)]0
otherPOST parameter: '1'; GET parameter: 'aaaa'
otherHTTP parameter: 'ASS' (Base64-encoded payload carrier)
otherquery parameter key equals vjwr
path/ns/tmp/php-fpm.sock
processcheck_auth
processthin-scc-wrapper
bytes
DQo= (CRLF delimiter before/after eval output)
  • Detect 'config STOMPing': look for Apache configuration files being modified and immediately restored on disk while the malicious Location directive (pointing to /ns/tmp/php-fpm.sock) remains loaded in the running process.
  • CVE-2024-12356 shares the same WebSocket endpoint as CVE-2026-1731; the old exploit chain (BeyondTrust RCE + PostgreSQL SQLi via /nw on port 443) was still observed in active use in January 2026, so detections for /nw WebSocket abuse apply to both CVEs.
  • Stolen BeyondTrust Remote Support SaaS API keys used to reset passwords for local application accounts should be treated as a high-fidelity indicator of compromise; revoke and rotate all API keys upon detection.
  • ·CVE-2024-12356 affects BeyondTrust Remote Support and Privileged Remote Access; BeyondTrust patched all cloud/SaaS instances automatically, but self-hosted (on-premises) customers must apply patches manually.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.