CVE-2024-12356 – This critical vulnerability in BeyondTrust Priv... (How to Fix)

Q: What is the severity of CVE-2024-12356?

CVE-2024-12356 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in BeyondTrust Privileged Remote Access and Remote Support products allows unauthenticated attackers to execute arbitrary commands with site user privileges. It affects organizations using these products for remote access and support. The vulnerability enables remote code execution without authentication.

📋 TL;DR

This critical vulnerability in BeyondTrust Privileged Remote Access and Remote Support products allows unauthenticated attackers to execute arbitrary commands with site user privileges. It affects organizations using these products for remote access and support. The vulnerability enables remote code execution without authentication.

💻 Affected Systems

Products:

BeyondTrust Privileged Remote Access
BeyondTrust Remote Support

Versions: Multiple versions prior to the patched releases

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in the web interface component.

📦 What is this software?

Privileged Remote Access by Beyondtrust

View all CVEs affecting Privileged Remote Access →

Remote Support by Beyondtrust

View all CVEs affecting Remote Support →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the BeyondTrust server leading to lateral movement across the network, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Attackers gain initial access to the network through the BeyondTrust server, then pivot to other systems to deploy ransomware or steal credentials.

🟢

If Mitigated

Limited impact if server is isolated with strict network segmentation and access controls, though command execution would still be possible on the server itself.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to attackers who gain network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. CISA has added this to their Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Privileged Remote Access: 23.4.2 and later; Remote Support: 24.1.1 and later

Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

Restart Required: Yes

Instructions:

1. Download the latest patched version from BeyondTrust support portal. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart the service/application. 5. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to the BeyondTrust server to only trusted IP addresses

Use firewall rules to limit inbound connections to specific source IPs

Disable Web Interface

all

Temporarily disable the vulnerable web interface component if not required

Consult BeyondTrust documentation for disabling specific web services

🧯 If You Can't Patch

Implement strict network segmentation to isolate the BeyondTrust server from critical systems
Deploy web application firewall (WAF) rules to block command injection patterns

🔍 How to Verify

Check if Vulnerable:

Check the product version against affected versions listed in the BeyondTrust advisory. Versions below 23.4.2 for PRA and below 24.1.1 for RS are vulnerable.

Check Version:

Check the product version in the web interface under Help > About or use vendor-specific CLI commands for version checking.

Verify Fix Applied:

Verify the installed version is 23.4.2 or higher for PRA, or 24.1.1 or higher for RS. Check vendor documentation for specific patch verification steps.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in BeyondTrust logs
Multiple failed authentication attempts followed by successful command execution
Suspicious process creation from BeyondTrust service accounts

Network Indicators:

Unusual outbound connections from BeyondTrust server
Command and control traffic originating from the BeyondTrust server
Unexpected network scans from the BeyondTrust server

SIEM Query:

source="beyondtrust" AND (event_type="command_execution" OR process_name="cmd.exe" OR process_name="powershell.exe") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2024-12356

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 17, 2024

Last Updated: October 24, 2025

🔗 References

https://nvd.nist.gov/vuln/detail/CVE-2024-12356 Third Party Advisory,US Government Resource
https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2024-12356 Third Party Advisory,US Government Resource
https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12356 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12356, you might also want to check these: