The Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that it has identified a serious security flaw, known as a command injection vulnerability, in BeyondTrust’s Remote Support and Privileged Access products.

This type of vulnerability can allow hackers to execute unauthorized commands on a system, potentially giving them control. CISA has added this issue to its catalog of known exploited vulnerabilities, a list used to alert organizations to actively targeted weaknesses.

BeyondTrust resolved the issue by releasing a patch for supported versions of Remote Support (RS) and Privileged Remote Access (PRA), specifically for versions 22.1 and above.

The medium-severity flaw, identified as CVE-2024-12686, allows attackers with administrative access to inject commands into a network and execute them as if they were legitimate site users, CISA explains.

“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” CISA noted in its latest alert.

This vulnerability is rated 6.6 on the Common Vulnerability Scoring System (CVSS) — a score that indicates a notable risk that requires attention, particularly if attackers have already gained administrative privileges.

This CVE marks the second vulnerability disclosed by BeyondTrust during its investigation into a series of attacks in December. In those incidents, attackers exploited a compromised Remote Support SaaS API key to reset the passwords of multiple accounts.

The attacks affected a limited number of BeyondTrust’s Remote Support SaaS customers, highlighting the potential risks of exposed API keys and the need for security measures.

The first vulnerability was made public back In December when CISA added CVE-2024-12356 to its KEV catalog. BeyondTrust identified this critical command injection flaw, rated 9.8 on the CVSS scale.

It remains unclear how the medium-severity CVE-2024-12686 is being used in attacks, whether it is exploited independently or combined with the critical CVE-2024-12356 vulnerability.