The Cybersecurity and Infrastructure Security Agency added a command injection vulnerability in BeyondTrust Remote Support and Privileged Access Products to its catalog of known exploited vulnerabilities on Monday.
The medium-severity flaw, listed as CVE-2024-12686, allows an attacker with administrative privileges to inject commands into a computer network and run as if they are a site user. The vulnerability has a CVSS score of 6.6.
The CVE is the second vulnerability disclosed by BeyondTrust during its investigation into an attack spree in December. The attacker reset the passwords of numerous accounts after compromising a Remote Support SaaS API key. A limited number of RemoteSupport SaaS customers were impacted by the attacks.
It is not immediately clear what role the medium-severity CVE plays in attacks, whether attackers are chaining it together with a critical command injection vulnerability, CVE-2024-12356, or exploiting it on its own. Researchers from Rapid7 said they have not yet seen any recent threat activity specific to CVE-2024-12686.
CISA in December added CVE-2024-12356 to its KEV catalog. BeyondTrust also identified that command injection vulnerability during its investigation of the attack spree. That vulnerability has a CVSS score of 9.8.
Federal authorities and the company have yet to explicitly tie the BeyondTrust CVEs to the Treasury Department hack or explain exactly what role they had in the attack spree.
BeyondTrust products are widely used across the global enterprise. The company says it has about 20,000 customers across a vast portfolio, including 75 of the Fortune 100.
CISA has been working with BeyondTrust and the Treasury Department to investigate the hack of numerous workstations within the agency. A state-linked hacker gained access to unclassified data by using a stolen key from the vendor that was used for cloud-based technical support.
Officials have attributed the Treasury Department hack to an advanced persistent threat actor backed by the People’s Republic of China, according to a letter sent to the leaders of the Senate Committee on Banking, Housing and Urban Affairs.
Treasury Secretary Janet Yellen called out the nation state for its alleged hacking activity and how it might impact U.S. relations during a virtual meeting with Vice Premier He Lifeng from the People's Republic of China.
CISA last week said there was no evidence the hack of the Treasury Department impacted other federal agencies. However, it is not clear whether other federal agencies use the respective BeyondTrust products.
A spokesperson for CISA declined to comment on the investigation of the Treasury Department hack or the BeyondTrust CVE.
BeyondTrust last week said it was close to completing a forensic investigation of the attack spree.
The addition of the BeyondTrust CVE to the KEV catalog means that federal civilian agencies in the executive branch have a deadline to mitigate those flaws. If they can’t properly patch or otherwise fix those vulnerabilities, in certain cases they are told to stop using the products.
President Biden is expected to sign an executive order this week that will address, among other things, steps that federal agencies need to take to strengthen their security.
