CVE-2024-12356: BeyondTrust PRA and RS Command Injection — Used to Breach the US Treasury
An unauthenticated command injection in BeyondTrust Privileged Remote Access and Remote Support, exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance used by the US Treasury Department in one of 2024's most significant breaches
CVE-2024-12356 is a critical OS command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS), disclosed December 17, 2024. An unauthenticated attacker can send a crafted request to a vulnerable API endpoint and execute arbitrary operating system commands on the BeyondTrust server. The vulnerability was exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance used by a US Treasury Department vendor, resulting in unauthorized access to Treasury workstations and unclassified documents — one of the most significant U.S. government breaches of 2024.
Vulnerability Details: Unauthenticated API Command Injection
BeyondTrust Privileged Remote Access and Remote Support expose API endpoints for integrations with help desk ticketing systems, ITSM platforms, and automated workflows. CVE-2024-12356 exists in one of these API endpoints where user-supplied input is passed to an OS-level function without adequate sanitization.
An unauthenticated attacker can craft a request to the vulnerable endpoint with injected shell metacharacters or command separators, causing the BeyondTrust server to execute arbitrary OS commands with the privileges of the application process — typically a privileged service account with significant access to the underlying server and connected infrastructure.
The US Treasury Breach: How the Attack Unfolded
The US Treasury breach illustrates the supply chain dimension of PAM (Privileged Access Management) tool compromise:
BeyondTrust's Remote Support was used by a Treasury vendor to provide IT support to Treasury Department employees. The vendor's BeyondTrust SaaS instance was compromised via CVE-2024-12356. The attacker obtained the API key that BeyondTrust's Remote Support used to initiate remote desktop sessions on Treasury workstations.
With this API key, the attacker could: - Initiate remote support sessions to Treasury employee workstations - Access files and systems visible during those sessions - Exfiltrate unclassified documents from the Treasury's Office of Foreign Assets Control (OFAC) — the sanctions enforcement body
The Treasury notified Congress that the incident was attributed to a Chinese state-sponsored actor. Given OFAC's role in administering sanctions — including sanctions against Chinese entities — this targeting represents a high-priority intelligence collection objective.
Compromise BeyondTrust SaaS Instance via CVE-2024-12356
Unauthenticated attacker sends crafted request to the BeyondTrust Remote Support API endpoint with injected OS commands, achieving code execution on the BeyondTrust server.
Extract API Key for Remote Support Sessions
With code execution on the BeyondTrust server, attacker extracts the API key used by the vendor's Remote Support instance to initiate sessions with customer (Treasury) workstations.
Initiate Remote Sessions to Treasury Workstations
Using the stolen API key, attacker initiates Remote Support sessions to US Treasury Department employee workstations — appearing as a legitimate vendor support action from the BeyondTrust infrastructure.
Access and Exfiltrate Unclassified Documents
During remote sessions, attacker accesses files and systems visible to the workstations, focusing on OFAC (Office of Foreign Assets Control) systems containing sanctions-related documentation.
Discovery and Disclosure
BeyondTrust identified anomalous API activity and notified the Treasury vendor on December 8, 2024. Treasury notified CISA and the FBI. The breach was disclosed publicly in December 2024.
Why PAM Tool Compromise Is Exceptionally High-Impact
Privileged Access Management tools like BeyondTrust hold a uniquely dangerous position in enterprise security architecture:
- **API keys for remote session initiation**: A compromised BeyondTrust instance may hold API keys enabling remote access to hundreds or thousands of endpoints - **Session recording storage**: PAM tools store recordings of privileged sessions, which may contain credentials entered during sessions - **Credential vaults**: BeyondTrust PRA includes credential vaulting for privileged accounts — a compromised vault is a complete credential disclosure - **Trusted network position**: PAM tools are explicitly trusted by network security controls to initiate privileged sessions, making their traffic difficult to distinguish from legitimate activity
A compromised PAM tool is effectively a master key to every system it manages.
Detection
Indicators for CVE-2024-12356 exploitation:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Unauthenticated API requests to BeyondTrust PRA/RS endpoints with shell metacharacters or encoded command injection payloads | BeyondTrust access log / WAF log | Review API access logs for requests to integration endpoints from unexpected source IPs without valid authentication tokens; command injection attempts may contain characters like ;, &&, |, $(), or backticks |
| Unexpected processes spawned by the BeyondTrust application service account | Process telemetry (EDR) | BeyondTrust service processes spawning cmd.exe, sh, bash, curl, wget, or similar utilities is anomalous; indicates successful command injection |
| API key usage from IP addresses not associated with known BeyondTrust server infrastructure | BeyondTrust audit log / SIEM | Legitimate API key usage originates from your BeyondTrust server IP; API key authentication from any other source indicates key theft |
| Outbound network connections from BeyondTrust server to external IPs on non-standard ports | Network telemetry | Post-exploitation C2 callback or data exfiltration; BeyondTrust server should communicate with known endpoints only — any unexpected external connection warrants investigation |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Priority steps:
Apply the December 2024 BeyondTrust patch immediately
BeyondTrust released patches for PRA and RS addressing CVE-2024-12356. Self-hosted customers must apply the patch manually; SaaS instances were patched by BeyondTrust directly. Verify your patch status via the BeyondTrust support portal.
Rotate all API keys issued by the BeyondTrust instance
If your instance was potentially exposed before patching, treat all API keys as compromised. Revoke all existing API keys and reissue. Audit systems that hold API keys — any system with a BeyondTrust API key may have been accessible to the attacker.
Audit BeyondTrust session logs for unauthorized sessions
Review all remote support and privileged access sessions during the potential compromise window. Look for sessions initiated from unexpected source IPs, sessions at unusual hours, or sessions targeting high-value systems without corresponding support tickets.
Restrict API endpoint access to known source IPs
Configure network-level restrictions on the BeyondTrust API endpoints to allow access only from known integration source IPs. This reduces the attack surface for command injection via the API path even on patched systems.
Review privileged credential vault contents and rotate vaulted credentials
If BeyondTrust PRA's credential vault was potentially accessible post-compromise, treat all vaulted credentials as exposed. Rotate privileged account passwords for all credentials stored in the vault.
The bottom line
CVE-2024-12356 demonstrates that PAM tools — the systems designed to protect privileged access — are themselves extremely high-value targets. Compromising BeyondTrust didn't require attacking the Treasury directly; it required compromising a trusted vendor's tool with a privileged session-initiation capability. Third-party PAM tool security must be held to at least the same standard as the systems they protect. API keys with session-initiation capability should be treated with the same sensitivity as domain admin credentials — any exposure warrants immediate rotation and comprehensive audit.
Frequently asked questions
What is CVE-2024-12356?
CVE-2024-12356 is a critical OS command injection vulnerability in BeyondTrust Privileged Remote Access and Remote Support that allows an unauthenticated remote attacker to inject and execute arbitrary operating system commands via a vulnerable API endpoint. CVSS score is 9.8.
How was CVE-2024-12356 used to breach the US Treasury?
A Chinese state-sponsored actor compromised a BeyondTrust SaaS instance using CVE-2024-12356. BeyondTrust's Remote Support product was used by the US Treasury's vendor to provide IT support — the compromised instance gave the attacker access to the API key used to remotely access Treasury employee workstations, leading to the breach of unclassified Treasury systems including OFAC.
Does CVE-2024-12356 affect BeyondTrust cloud (SaaS) customers?
Yes. The Treasury breach involved a BeyondTrust SaaS instance, confirming the vulnerability affected cloud deployments. BeyondTrust patched SaaS instances before releasing guidance for self-hosted customers. Both deployment models were vulnerable.
Is CVE-2024-12356 related to CVE-2024-12686 (the second BeyondTrust CVE)?
BeyondTrust disclosed a second vulnerability, CVE-2024-12686, in January 2025 — a medium-severity flaw requiring existing admin credentials. CVE-2024-12356 is the critical pre-authentication vulnerability. Both were identified in the context of the same incident investigation.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.