Leading Privileged Access Management (PAM) provider BeyondTrust experienced a significant security breach in early December 2023, affecting its Remote Support SaaS platforms. The company, which serves various sectors including government, healthcare, banking, and technology, detected suspicious network activity on December 2nd.
The breach involved threat actors obtaining unauthorized access to Remote Support SaaS API keys, enabling them to reset passwords for local application accounts. Upon discovery, BeyondTrust immediately revoked the compromised API key and suspended affected instances, providing alternative solutions to impacted customers.
During the subsequent investigation, two significant vulnerabilities were identified:
1. CVE-2024-12356: A critical command injection vulnerability in Remote Support and Privileged Remote Access products, allowing unauthorized remote attackers to execute system commands.
2. CVE-2024-12686: A medium-severity flaw enabling admin-level attackers to inject commands and upload malicious files.
BeyondTrust has automatically patched these vulnerabilities on cloud instances, though self-hosted customers must manually update their systems. The company continues to investigate the incident’s full scope and impact on downstream customers, with updates pending as more information becomes available.
This security incident raises concerns given BeyondTrust’s role as a major security solutions provider to critical infrastructure and enterprise organizations worldwide.