9.8

CVE-2024-12356

Warnung
Exploit

Command Injection Vulnerability in Remote Support(RS) & Privileged Remote Access (PRA)

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
BeyondtrustPrivileged Remote Access Version <= 24.3.1
BeyondtrustRemote Support Version <= 24.3.1

19.12.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability

Schwachstelle

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 93.86% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
13061848-ea10-403d-bd75-c83a022c2891 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://nvd.nist.gov/vuln/detail/CVE-2024-12356
Third Party Advisory
US Government Resource
https://www.cve.org/CVERecord?id=CVE-2024-12356
Third Party Advisory
US Government Resource