Learn about the critical importance of patch management and how vulnerabilities in widely used remote support tools can lead to major breaches, demonstrating the need for comprehensive security solutions.

Risks:

Zero-Day, API Vulnerability, Privilege Escalation, Third-Party Vendor/SaaS

Keywords:

BeyondTrust, CISA, Vulnerabilities, Silk Typhoon, Qlik Sense, Remote Support, API Key Breach

CVE:

CVE-2024-12686; CVE-2024-12356; CVE-2023-48365

Affected:

BeyondTrust Privileged Remote Access, BeyondTrust Remote Support, Qlik Sense, U.S. Treasury Department

 

BeyondTrust Vulnerabilities Added to CISA's Exploited Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted security vulnerabilities impacting BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products, adding them to the Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities have been identified amidst active exploitation incidents, signaling significant security concerns for organizations using these tools.

Vulnerability Details

One of the vulnerabilities, identified as CVE-2024-12686, is a medium-severity issue that allows attackers with existing administrative privileges to inject commands and operate as a site user. This vulnerability facilitates the execution of operating system commands, potentially leading to unauthorized actions within affected systems.

Another critical flaw, CVE-2024-12356, was previously added to the KEV catalog. This flaw is particularly severe, with a CVSS score of 9.8, and allows for the execution of arbitrary commands, posing a serious threat to system integrity.

Incident Overview

Both vulnerabilities were discovered following an investigation into a cyber incident in December 2024. Malicious actors exploited a compromised Remote Support SaaS API key, which allowed them to breach certain instances and reset local application account passwords. While the API key has been revoked, the method of compromise remains undetermined. It is suspected that these vulnerabilities were used as zero-day exploits by attackers.

Breach Impact and Attribution

The breach has had significant ramifications, including an attack on the U.S. Treasury Department. This incident, described as a "major cybersecurity incident," was attributed to a Chinese state-sponsored group known as Silk Typhoon. The group targeted critical departments within the Treasury, including the Office of Foreign Assets Control (OFAC), Office of Financial Research, and the Committee on Foreign Investment in the United States (CFIUS).

Additional Vulnerability in Qlik Sense

In addition to the BeyondTrust vulnerabilities, CISA added a critical security vulnerability affecting Qlik Sense (CVE-2023-48365) to the KEV catalog. This vulnerability, with a CVSS score of 9.9, allows attackers to escalate privileges and execute HTTP requests on the backend server. It has been exploited in the past by the Cactus ransomware group.

Required Remediation

Federal agencies have been mandated to apply the necessary patches for these vulnerabilities by February 3, 2024, to safeguard their networks from ongoing threats. This emphasizes the importance of timely patch management and proactive security measures to mitigate exploitation risks.

 

Read More

https://thehackernews.com/2025/01/cisa-adds-new-beyondtrust-flaw-to-kev.html?m=1