CVE-2024-12356

CRITICAL CISA KEV EPSS 99.7%

Published Dec 17, 20241y ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Find Similar

Published Dec 17, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

KEV Listed Dec 19, 2024 1y ago

KEV Due Dec 27, 2024 549d overdue

Description

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

CISA Known Exploited Overdue 549d

Added: Dec 19, 2024
Due: Dec 27, 2024

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability

99.7% percentile

Exploit & Patch Status

Actively Exploited (KEV)

No Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

Affected Products 2

Vendor	Product	Version	Range
beyondtrust	privileged_remote_access	*	≤24.3.1
beyondtrust	remote_support	*	≤24.3.1

References 5

attackerkb.com https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis

ExploitThird Party Advisory
nvd.nist.gov https://nvd.nist.gov/vuln/detail/CVE-2024-12356

Third Party AdvisoryUS Government Resource
beyondtrust.com https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

Vendor Advisory
cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12356

US Government Resource
cve.org https://www.cve.org/CVERecord?id=CVE-2024-12356

Third Party AdvisoryUS Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.