BeyondTrust vulnerability added to CISA's list of exploited cybersecurity weaknesses, signifying potential threats.
A significant cybersecurity incident that compromised the U.S. Treasury Department has been attributed to two critical vulnerabilities in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products. The vulnerabilities, CVE-2024-12686 and CVE-2024-12356, have been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
The vulnerabilities, which allow for command injection and privilege escalation, respectively, were exploited by a Chinese state-sponsored hacking group known as Silk Typhoon. The attackers used a stolen API key from BeyondTrust to gain unauthorised access to systems, notably within the U.S. Treasury Department.
The exploitation of these zero-day bugs enabled remote, unauthenticated code execution on on-premise deployments, while cloud customers had been patched in advance. This attack resulted in full server control, facilitating lateral movement, data exfiltration, and the compromise of sensitive environments. Particularly impacted were critical Treasury networks, including the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS), allowing the theft of unclassified but sensitive information about sanctions and foreign investment reviews.
In response, CISA added CVE-2024-12356 to its KEV catalog in December 2024, mandating U.S. federal agencies to patch affected systems promptly. Organisations using affected on-premise versions of BeyondTrust RS and PRA are urged to update immediately due to the ease of exploitation and the severity of impact.
The Treasury Department hack has been linked to the exploitation of these two BeyondTrust RS/PRA zero-days by Chinese hackers. They used the stolen API key from the BeyondTrust breach to compromise 17 Remote Support SaaS instances and penetrate the Treasury’s networks.
This incident represents a major example of supply chain and privileged access exploitation with significant implications for cybersecurity in government and enterprise sectors. It highlights the importance of timely patching and vigilance in the face of evolving cyber threats.
**Summary Table:**
| Aspect | Details | |--------------------------------|---------------------------------------------------------------------------------------------------| | Vulnerabilities | CVE-2024-12686 (Privilege Escalation), CVE-2024-12356 (Command Injection) | | Products & Versions Affected | BeyondTrust Remote Support (24.2.2–24.2.4, 24.3.1–24.3.3, 25.1.1) and Privileged Remote Access | | Exploiting Actor | Chinese state-sponsored group "Silk Typhoon" | | Method of Exploitation | Stolen API key used to exploit zero-days for unauthorized access and remote code execution | | Target & Impact | U.S. Treasury Department networks; unauthorized access, data theft, potential lateral movement | | Remediation | Patches issued, especially for cloud; on-premise systems require manual updates; CISA directed patches within federal agencies | | Status as of mid-2025 | Known exploited, with patched cloud environments; residual risk in on-premise systems without updates |
- The Chinese state-sponsored hacking group, Silk Typhoon, exploited the vulnerabilities CVE-2024-12686 and CVE-2024-12356 in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, gaining unauthorized access to systems within the U.S. Treasury Department.
- The exploitation of these vulnerabilities allowed the hackers to conduct remote, unauthenticated code execution on on-premise deployments, compromising critical Treasury networks and stealing sensitive unclassified information from the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS).
- In response to this incident, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog, mandating U.S. federal agencies to patch affected systems promptly. Organizations using affected on-premise versions of BeyondTrust RS and PRA are urged to update immediately due to the ease of exploitation and the severity of impact.
