CVE-2024-12356
published 2024-12-17CVE-2024-12356: A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-12-27
Exploited in the wild
EPSS
87.99%
99.7th percentile
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beyondtrust | privileged_remote_access | <= 24.3.1 | — |
| beyondtrust | remote_support | <= 24.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
DQo= (CRLF delimiter before/after eval output)
- →Detect 'config STOMPing': look for Apache configuration files being modified and immediately restored on disk while the malicious Location directive (pointing to /ns/tmp/php-fpm.sock) remains loaded in the running process. ↗
- →CVE-2024-12356 shares the same WebSocket endpoint as CVE-2026-1731; the old exploit chain (BeyondTrust RCE + PostgreSQL SQLi via /nw on port 443) was still observed in active use in January 2026, so detections for /nw WebSocket abuse apply to both CVEs. ↗
- →Stolen BeyondTrust Remote Support SaaS API keys used to reset passwords for local application accounts should be treated as a high-fidelity indicator of compromise; revoke and rotate all API keys upon detection. ↗
- ·CVE-2024-12356 affects BeyondTrust Remote Support and Privileged Remote Access; BeyondTrust patched all cloud/SaaS instances automatically, but self-hosted (on-premises) customers must apply patches manually. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-69c6-ccv7-v3g3: A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated att
ghsa_unreviewed·2024-12-17
CVE-2024-12356 [CRITICAL] CWE-77 GHSA-69c6-ccv7-v3g3: A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated att
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
VulnCheck
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-12356 [CRITICAL] CWE-77 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user.
Affected: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/; https://insights.nccgroup.com/l/898251/2025-01-24/31knsst/898251/1
CISA
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
cisa·2024-12-19·CVSS 9.8
CVE-2024-12356 [CRITICAL] CWE-77 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
Vulnerability: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
Affected: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 ; https://nvd.nist.gov/vuln/detail/CVE-2024-12356
Remediation Due Date: 2024-12-27
No detection rules found.
Nuclei
Privileged Remote Access & Remote Support - Command Injection
nuclei·CVSS 9.8
CVE-2024-12356 [CRITICAL] Privileged Remote Access & Remote Support - Command Injection
Privileged Remote Access & Remote Support - Command Injection
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
Template:
id: CVE-2024-12356
info:
name: Privileged Remote Access & Remote Support - Command Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
remediation: |
Apply the security patches provided by BeyondTrust for Privileged Remote Access and Remote Support products and restrict network acces
Metasploit
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution
metasploit
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution
This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS), with the privileges of the site user of the targeted BeyondTrust product site. This exploit targets PRA and RS versions 24.3.1 and below.
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Unit42
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
blogs_unit42·2026-02-19·CVSS 9.9
CVE-2026-1731 [CRITICAL] VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
## Executive Summary
On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption.
Unit 42 is actively investigating exploitation of this vulnerability and has observed attacker activity consistent with the following:
- Network reconnaissance and account creation
- Webshell deployment
- Command-and-control (C2) traffic
- Backdoor and remote management tool deployment
- Late
Unit42
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
blogs_unit42·2026-02-19·CVSS 9.9
CVE-2026-1731 [CRITICAL] VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Threat Research Center
High Profile Threats
Vulnerabilities
## VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Justin Moore
Published: February 19, 2026
High Profile Threats
Vulnerabilities
Bash
CVE-2026-1731
PowerShell
Remote Access Trojan
Remote Code Execution
SparkRAT
VShell
## Executive Summary
On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731 . BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthor
Bleepingcomputer
CISA gives feds 3 days to patch actively exploited BeyondTrust flaw
blogs_bleepingcomputer·2026-02-16·CVSS 9.9
[CRITICAL] CISA gives feds 3 days to patch actively exploited BeyondTrust flaw
## CISA gives feds 3 days to patch actively exploited BeyondTrust flaw
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on Friday to secure their BeyondTrust Remote Support instances against an actively exploited vulnerability within three days.
BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including government agencies and 75% of Fortune 100 companies worldwide.
Tracked as CVE-2026-1731 , this remote code execution vulnerability stems from an OS command injection weakness and affects BeyondTrust's Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
While BeyondTrust patched all Remote Support and Privileged Remote Access SaaS instances on F
Greynoiseio
Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far
blogs_greynoiseio·2026-02-12·CVSS 9.9
[CRITICAL] Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
BeyondTrust warns of critical RCE flaw in remote support software
blogs_bleepingcomputer·2026-02-09·CVSS 9.9
CVE-2026-1731 [CRITICAL] BeyondTrust warns of critical RCE flaw in remote support software
## BeyondTrust warns of critical RCE flaw in remote support software
## Sergiu Gatlan
BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.
Tracked as CVE-2026-1731 , this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team , and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
Threat actors with no privileges can exploit it through maliciously crafted client requests in low-complexity attacks that don't require user interaction.
"Successful exploitation could allow an unauthe
Bleepingcomputer
BeyondTrust warns of pre-auth RCE in Remote Support software
blogs_bleepingcomputer·2025-06-18·CVSS 8.6
[HIGH] BeyondTrust warns of pre-auth RCE in Remote Support software
## BeyondTrust warns of pre-auth RCE in Remote Support software
## Sergiu Gatlan
BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers.
Remote Support is BeyondTrust's enterprise-grade remote support solution that helps IT support teams troubleshoot issues by remotely connecting to systems and devices, while Privileged Remote Access acts as a secure gateway and ensures that users can only access the specific systems and resources they're authorized to use.
Tracked as CVE-2025-5309, this Server-Side Template Injection vulnerability was discovered by Jorren Geurts of Resillion in the chat feature of BeyondTrust RS/
Bleepingcomputer
PostgreSQL flaw exploited as zero-day in BeyondTrust breach
blogs_bleepingcomputer·2025-02-14·CVSS 9.8
CVE-2024-12356 [CRITICAL] PostgreSQL flaw exploited as zero-day in BeyondTrust breach
## PostgreSQL flaw exploited as zero-day in BeyondTrust breach
## Sergiu Gatlan
Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December.
BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Less than one month later, in early January, the U.S. Treasury Department disclosed that its network was breached by threat actors who used a stolen Remote Support SaaS API key to compromise its BeyondTrust instance.
Since then, the Treasury breach has been linked to Chinese state-backed hackers tracked as Silk Typhoon, a cyber-
Bleepingcomputer
CISA orders agencies to patch BeyondTrust bug exploited in attacks
blogs_bleepingcomputer·2025-01-13·CVSS 9.8
CVE-2024-12686 [CRITICAL] CISA orders agencies to patch BeyondTrust bug exploited in attacks
## CISA orders agencies to patch BeyondTrust bug exploited in attacks
## Sergiu Gatlan
CISA has tagged a command injection vulnerability ( CVE-2024-12686 ) in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks.
As mandated by the Binding Operational Directive (BOD) 22-01, after being added to CISA's Known Exploited Vulnerabilities catalog, U.S. federal agencies must secure their networks against ongoing attacks targeting the flaw within three weeks by February 3.
On December 19, the U.S. cybersecurity agency also added a critical command injection security bug ( CVE-2024-12356 ) in the same BeyondTrust software products.
BeyondTrust found both vulnerabilities while investigating the breach of some of its Remote Support SaaS instances
Checkpoint
6th January– Threat Intelligence Report
blogs_checkpoint·2025-01-06·CVSS 9.8
CVE-2024-12356 [CRITICAL] 6th January– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th January– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th January, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point elaborated on the US Treasury Department cyber-attack that compromised employee workstations and classified documents. The breach, attributed to a China state-sponsored threat actor, involved unauthorized remote access using a security key from third-party provider BeyondTrust. The attackers exploited two vulnera
Bleepingcomputer
US Treasury Department breached through remote support platform
blogs_bleepingcomputer·2024-12-30·CVSS 9.8
[CRITICAL] US Treasury Department breached through remote support platform
## US Treasury Department breached through remote support platform
## Lawrence Abrams
Chinese state-sponsored threat actors hacked the U.S. Treasury Department after breaching a remote support platform used by the federal agency.
In a letter sent to lawmakers and seen by the New York Times, the Treasury Department warned lawmakers it was first notified of the breach on December 8th by its vendor BeyondTrust.
BeyondTrust is a privileged access management company that also offers a remote support SaaS platform that can be used to access computers remotely.
"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor," reads the letter seen by the New York Times .
"In accordance with Treasury policy, intrusions attrib
Bleepingcomputer
BeyondTrust says hackers breached Remote Support SaaS instances
blogs_bleepingcomputer·2024-12-19·CVSS 9.8
[CRITICAL] BeyondTrust says hackers breached Remote Support SaaS instances
## BeyondTrust says hackers breached Remote Support SaaS instances
## Bill Toulas
Story updated with statement from BeyondTrust.
Privileged access management company BeyondTrust suffered a cyberattack in early December after threat actors breached some of its Remote Support SaaS instances.
BeyondTrust is a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions. Their products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.
The company says that on December 2nd, 2024 , it detected "anomalous behavior" on its network. An initial investigation confirmed that threat actors compromised some of its Remote Support SaaS insta
Wiz
CVE-2026-1731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1731 [CRITICAL] CVE-2026-1731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1731 :
BeyondTrust Privileged Remote Access Client vulnerability analysis and mitigation
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Source : NVD
## 9.9
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.9
High-profile Vulnerability Yes
Affected Technologies
BeyondTrust Privileged Remote Access Client
BeyondTrust Remote Support Client
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
https://nvd.nist.gov/vuln/detail/CVE-2024-12356https://www.beyondtrust.com/trust-center/security-advisories/bt24-10https://www.cve.org/CVERecord?id=CVE-2024-12356https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysishttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12356
2024-12-17
Published
2024-12-19
Added to CISA KEV
Exploited in the wild