cbcvebase.
CVE-2024-12686
published 2024-12-18

CVE-2024-12686: A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative…

PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-03
Exploited in the wild
EPSS
13.79%
96.0th percentile
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.

Affected

3 ranges
VendorProductVersion rangeFixed in
beyondtrustprivileged_remote_access<= 24.3.1
beyondtrustremote_support<= 24.3.1
beyondtrustremote_support_privileged_remote_access<= 24.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-12686 is a command injection vulnerability in BeyondTrust PRA/RS; attackers with existing administrative privileges can inject commands and run as a site user — monitor for unexpected OS command execution spawned from BeyondTrust service processes
  • CVE-2024-12686 was exploited in the wild alongside CVE-2024-12356 as zero-days; both were used to breach BeyondTrust Remote Support SaaS instances — correlate exploitation of either CVE together as part of the same intrusion chain
  • Post-exploitation technique: threat actors used a stolen Remote Support SaaS API key to reset passwords for local application accounts — alert on unexpected local account password resets originating from BeyondTrust API activity
  • CISA added CVE-2024-12686 (also tracked as BT24-11) to the KEV catalog — treat any unpatched BeyondTrust PRA/RS instance as a high-priority detection target
  • ·CVE-2024-12686 requires existing administrative privileges to exploit (medium severity, CVSS 7.2), unlike the companion critical CVE-2024-12356 which is pre-authentication — detection and triage should account for this privilege prerequisite
  • ·BeyondTrust patched CVE-2024-12686 on all cloud/SaaS instances automatically; only self-hosted/on-premises deployments require manual patching and remain at risk if not updated

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck6.6MEDIUM
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.