🔴 CVE-2024-12686

OS command injection vulnerability in BeyondTrust Remote Support and Privileged Remote Access allowing attackers with administrative privileges to execute commands as site users. This affects remote access platforms that are inherently internet-facing by design and is actively exploited in the wild per CISA KEV.

← Back to Overview
HIGH_RISK
Risk Level
6.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1133 — External Remote Services
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2024-12-18

Added to CISA KEV: 2025-01-13 26 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2024-12686 is an OS command injection vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products [1].

Vulnerability Overview and Impact
  • Nature of Vulnerability: This is an OS command injection vulnerability that allows an attacker to inject commands and execute them as a site user [1].
  • Exploitation Requirements: Unlike some other critical vulnerabilities, this flaw requires the attacker to already possess existing administrative privileges within the application [1] [2]. It is primarily considered a post-exploitation mechanism used to gain a stronger foothold or persist in an already compromised environment [3].
  • Impact: Successful exploitation allows for the execution of arbitrary commands and the uploading of malicious files, effectively granting the attacker elevated control over the affected instance [3].
Context and Exploitation
  • Active Exploitation: While the vulnerability was disclosed in December 2024, it has been noted in discussions alongside other vulnerabilities (such as CVE-2024-12356) in the context of high-profile security incidents, including reports of state-sponsored activity [4].
  • Ransomware/Targeted Attacks: The vulnerability is generally associated with targeted, post-exploitation activity rather than automated ransomware campaigns, given the requirement for prior administrative access to the system.
Affected Versions and Mitigation
  • Affected Products: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) [1].
  • Patch Status: BeyondTrust released patches for this vulnerability in December 2024 [2].
* Cloud Customers: Patches were automatically applied to all cloud instances by December 16, 2024 [2]. * On-Premise Customers: Administrators were required to apply the patch manually via the `/appliance` interface [2].

It is important to distinguish this from CVE-2024-12356, which was a separate, critical vulnerability in the same products that allowed for *unauthenticated* command injection [5]. The two are often mentioned together in security advisories from that period [2].

Sources

  1. CVE-2024-12686 Detail - NVD

    A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on offic…

  2. BT24-11 | BeyondTrust

    A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative ... A patch has been applied to all RS/PRA cloud customers as of December 16, 2024 that remediates this vulnerability. On-premise customers of RS/PRA…

  3. CVE-2024-12686 - Exploits & Severity - Feedly

    CVE-2024-12686 is a medium-severity vulnerability that allows attackers with administrative privileges to upload malicious files and execute arbitrary commands, serving as a post-exploitation mechanism for gaining a stronger foothold in compromised environments. BeyondTrust has released patches for…

  4. CVE-2024-30040 - Exploits & Severity - Feedly

    Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 8.8, CVEs: CVE-2024-26238, CVE-2024-29994, CVE-2024-29996, CVE-2024-29997, CVE-2024-29998, CVE-2024-29999, CVE-2024-30000, CVE-2024-30001, CVE-2024-30002, CVE-2024-30003, CVE-2024-30004, CVE-2024-30005, CVE-20…

  5. NVD - CVE-2024-12356

    CVE-2024-12356 Detail. Description. A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.CVE CISA KEV Update by Cybersecurity and Infrastructure Secur…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed