CVE-2024-12686
published 2024-12-18CVE-2024-12686: A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative…
PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-03
Exploited in the wild
EPSS
13.79%
96.0th percentile
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beyondtrust | privileged_remote_access | <= 24.3.1 | — |
| beyondtrust | remote_support | <= 24.3.1 | — |
| beyondtrust | remote_support_privileged_remote_access | <= 24.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-12686 is a command injection vulnerability in BeyondTrust PRA/RS; attackers with existing administrative privileges can inject commands and run as a site user — monitor for unexpected OS command execution spawned from BeyondTrust service processes ↗
- →CVE-2024-12686 was exploited in the wild alongside CVE-2024-12356 as zero-days; both were used to breach BeyondTrust Remote Support SaaS instances — correlate exploitation of either CVE together as part of the same intrusion chain ↗
- →Post-exploitation technique: threat actors used a stolen Remote Support SaaS API key to reset passwords for local application accounts — alert on unexpected local account password resets originating from BeyondTrust API activity ↗
- →CISA added CVE-2024-12686 (also tracked as BT24-11) to the KEV catalog — treat any unpatched BeyondTrust PRA/RS instance as a high-priority detection target ↗
- ·CVE-2024-12686 requires existing administrative privileges to exploit (medium severity, CVSS 7.2), unlike the companion critical CVE-2024-12356 which is pre-authentication — detection and triage should account for this privilege prerequisite ↗
- ·BeyondTrust patched CVE-2024-12686 on all cloud/SaaS instances automatically; only self-hosted/on-premises deployments require manual patching and remain at risk if not updated ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck6.6MEDIUM
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xqg3-vx4p-jmwm: A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative
ghsa_unreviewed·2024-12-18
CVE-2024-12686 [MEDIUM] CWE-78 GHSA-xqg3-vx4p-jmwm: A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.
VulnCheck
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.6
CVE-2024-12686 [MEDIUM] CWE-78 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.
Affected: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.beyondtrust.com/remote-support-saas-service-security-investigation; https://ww
CISA
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
cisa·2025-01-13·CVSS 7.2
CVE-2024-12686 [HIGH] CWE-78 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
Vulnerability: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability
Affected: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.beyondtrust.com/trust-center/security-advisories/bt24-11 ; https://nvd.nist.gov/vu
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA gives feds 3 days to patch actively exploited BeyondTrust flaw
blogs_bleepingcomputer·2026-02-16·CVSS 9.9
[CRITICAL] CISA gives feds 3 days to patch actively exploited BeyondTrust flaw
## CISA gives feds 3 days to patch actively exploited BeyondTrust flaw
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on Friday to secure their BeyondTrust Remote Support instances against an actively exploited vulnerability within three days.
BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including government agencies and 75% of Fortune 100 companies worldwide.
Tracked as CVE-2026-1731 , this remote code execution vulnerability stems from an OS command injection weakness and affects BeyondTrust's Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
While BeyondTrust patched all Remote Support and Privileged Remote Access SaaS instances on F
Bleepingcomputer
BeyondTrust warns of critical RCE flaw in remote support software
blogs_bleepingcomputer·2026-02-09·CVSS 9.9
CVE-2026-1731 [CRITICAL] BeyondTrust warns of critical RCE flaw in remote support software
## BeyondTrust warns of critical RCE flaw in remote support software
## Sergiu Gatlan
BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.
Tracked as CVE-2026-1731 , this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team , and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
Threat actors with no privileges can exploit it through maliciously crafted client requests in low-complexity attacks that don't require user interaction.
"Successful exploitation could allow an unauthe
Bleepingcomputer
BeyondTrust warns of pre-auth RCE in Remote Support software
blogs_bleepingcomputer·2025-06-18·CVSS 8.6
[HIGH] BeyondTrust warns of pre-auth RCE in Remote Support software
## BeyondTrust warns of pre-auth RCE in Remote Support software
## Sergiu Gatlan
BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers.
Remote Support is BeyondTrust's enterprise-grade remote support solution that helps IT support teams troubleshoot issues by remotely connecting to systems and devices, while Privileged Remote Access acts as a secure gateway and ensures that users can only access the specific systems and resources they're authorized to use.
Tracked as CVE-2025-5309, this Server-Side Template Injection vulnerability was discovered by Jorren Geurts of Resillion in the chat feature of BeyondTrust RS/
Bleepingcomputer
PostgreSQL flaw exploited as zero-day in BeyondTrust breach
blogs_bleepingcomputer·2025-02-14·CVSS 9.8
CVE-2024-12356 [CRITICAL] PostgreSQL flaw exploited as zero-day in BeyondTrust breach
## PostgreSQL flaw exploited as zero-day in BeyondTrust breach
## Sergiu Gatlan
Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December.
BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Less than one month later, in early January, the U.S. Treasury Department disclosed that its network was breached by threat actors who used a stolen Remote Support SaaS API key to compromise its BeyondTrust instance.
Since then, the Treasury breach has been linked to Chinese state-backed hackers tracked as Silk Typhoon, a cyber-
Talos
Find the helpers
blogs_talos·2025-01-16
Find the helpers
## Find the helpers
Welcome to this week’s edition of the Threat Source newsletter.
“When I was a boy and I would see scary things in the news, my mother would say to me, ‘Look for the helpers. You will always find people who are helping.’”
― Fred Rogers
There’s no world where following Mr. Roger’s advice is wrong. With the wildfires raging in Greater Los Angeles now more than ever I am very aware of the need to look for the helpers. I get it, I see the news and it’s overwhelming and terrifying. So Gentle Reader I’m asking that instead of just finding the helpers – be the helper. I’d like everyone to take a moment and think about what you can do to be a helper – not just with the catastrophic fires and the incredible destruction but in your own world. In your home life and in your work
Talos
Find the helpers
blogs_talos·2025-01-16
Find the helpers
Welcome to this week’s edition of the Threat Source newsletter.
“When I was a boy and I would see scary things in the news, my mother would say to me, ‘Look for the helpers. You will always find people who are helping.’”
― Fred Rogers
There’s no world where following Mr. Roger’s advice is wrong. With the wildfires raging in Greater Los Angeles now more than ever I am very aware of the need to look for the helpers. I get it, I see the news and it’s overwhelming and terrifying. So Gentle Reader I’m asking that instead of just finding the helpers – be the helper.
I’d like everyone to take a moment and think about what you can do to be a helper – not just with the catastrophic fires and the incredible destruction but in your own world. In your home life and in your work life. Nothing is mo
Bleepingcomputer
CISA orders agencies to patch BeyondTrust bug exploited in attacks
blogs_bleepingcomputer·2025-01-13·CVSS 9.8
CVE-2024-12686 [CRITICAL] CISA orders agencies to patch BeyondTrust bug exploited in attacks
## CISA orders agencies to patch BeyondTrust bug exploited in attacks
## Sergiu Gatlan
CISA has tagged a command injection vulnerability ( CVE-2024-12686 ) in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks.
As mandated by the Binding Operational Directive (BOD) 22-01, after being added to CISA's Known Exploited Vulnerabilities catalog, U.S. federal agencies must secure their networks against ongoing attacks targeting the flaw within three weeks by February 3.
On December 19, the U.S. cybersecurity agency also added a critical command injection security bug ( CVE-2024-12356 ) in the same BeyondTrust software products.
BeyondTrust found both vulnerabilities while investigating the breach of some of its Remote Support SaaS instances
Checkpoint
6th January– Threat Intelligence Report
blogs_checkpoint·2025-01-06·CVSS 9.8
CVE-2024-12356 [CRITICAL] 6th January– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th January– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th January, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point elaborated on the US Treasury Department cyber-attack that compromised employee workstations and classified documents. The breach, attributed to a China state-sponsored threat actor, involved unauthorized remote access using a security key from third-party provider BeyondTrust. The attackers exploited two vulnera
Bleepingcomputer
US Treasury Department breached through remote support platform
blogs_bleepingcomputer·2024-12-30·CVSS 9.8
[CRITICAL] US Treasury Department breached through remote support platform
## US Treasury Department breached through remote support platform
## Lawrence Abrams
Chinese state-sponsored threat actors hacked the U.S. Treasury Department after breaching a remote support platform used by the federal agency.
In a letter sent to lawmakers and seen by the New York Times, the Treasury Department warned lawmakers it was first notified of the breach on December 8th by its vendor BeyondTrust.
BeyondTrust is a privileged access management company that also offers a remote support SaaS platform that can be used to access computers remotely.
"Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor," reads the letter seen by the New York Times .
"In accordance with Treasury policy, intrusions attrib
Bleepingcomputer
BeyondTrust says hackers breached Remote Support SaaS instances
blogs_bleepingcomputer·2024-12-19·CVSS 9.8
[CRITICAL] BeyondTrust says hackers breached Remote Support SaaS instances
## BeyondTrust says hackers breached Remote Support SaaS instances
## Bill Toulas
Story updated with statement from BeyondTrust.
Privileged access management company BeyondTrust suffered a cyberattack in early December after threat actors breached some of its Remote Support SaaS instances.
BeyondTrust is a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions. Their products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.
The company says that on December 2nd, 2024 , it detected "anomalous behavior" on its network. An initial investigation confirmed that threat actors compromised some of its Remote Support SaaS insta
Wiz
CVE-2026-1731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1731 [CRITICAL] CVE-2026-1731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1731 :
BeyondTrust Privileged Remote Access Client vulnerability analysis and mitigation
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Source : NVD
## 9.9
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.9
High-profile Vulnerability Yes
Affected Technologies
BeyondTrust Privileged Remote Access Client
BeyondTrust Remote Support Client
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
2024-12-18
Published
2025-01-13
Added to CISA KEV
Exploited in the wild