Advisory ID: BT24-11
CVSSv3 Score: 6.6
Severity: Medium
Issue Date: 2024-12-18
CVE(s): CVE-2024-12686
Synopsis: Command Injection Vulnerability
Impacted Products: Remote Support (RS) & Privileged Remote Access (PRA)
Summary
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.
Details
All BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions contain a command injection vulnerability that can be exploited by a user with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user. This issue is fixed through a patch available for all supported releases of RS & PRA 22.1.x and higher.
Mitigation
A patch has been applied to all RS/PRA cloud customers as of December 16, 2024 that remediates this vulnerability.
On-premise customers of RS/PRA should apply this patch via their /appliance interface. If customers are on a version older than 22.1, they will need to upgrade in order to apply this patch.
Affected Versions
Product | Version |
|---|---|
Privileged Remote Access (PRA) | 24.3.1 and earlier |
Remote Support (RS) | 24.3.1 and earlier |
Fixed Versions
Product | Version |
|---|---|
Privileged Remote Access (PRA) | PRA patch |
Remote Support (RS) | RS patch |