Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated RCE in BeyondTrust PRA and RS

IdentifiersCVE-2024-12356CWE-88

CVE-2024-12356 is a critical vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS), affecting versions up to and including 24.3.1. Public vendor and third-party reporting initially described the issue as an unauthenticated command injection that allows a remote attacker to send a malicious client request and execute commands as the site user. Subsequent Rapid7 analysis indicates the vulnerable RS exploitation path is more precisely characterized as argument injection in the thin-scc-wrapper code path reachable via the /nw WebSocket endpoint. In the analyzed path, attacker-controlled input is passed via an unquoted gskey variable into shell processing, enabling injection of echo arguments such as -e to emit raw bytes. That data is then processed by a dbquote helper and ultimately consumed by PostgreSQL psql. Rapid7 concluded that tested RCE exploitation paths for RS required chaining with PostgreSQL flaw CVE-2025-1094, because invalid UTF-8 byte sequences could survive escaping and be interpreted by psql in a way that enabled SQL injection and then OS command execution via psql meta-commands such as !. BeyondTrust nevertheless patched the product-side issue by adding input validation that blocks the malicious gskey values needed for exploitation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote execution of arbitrary commands in the context of the BeyondTrust site user. This can result in full compromise of the affected PRA/RS appliance or server, unauthorized access to sensitive data, deployment of persistence mechanisms, lateral movement, and service disruption. The vulnerability was reported as actively exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog. Public reporting links exploitation of this flaw class to high-impact intrusions, including activity associated with Silk Typhoon and the 2024 U.S. Treasury incident.

Mitigation

If you can’t patch tonight, do this now.

No alternative workaround was reported by BeyondTrust for CVE-2024-12356. If immediate patching is not possible, reduce exposure of PRA/RS management and WebSocket-reachable interfaces, especially internet-facing access to the /nw endpoint, restrict access to trusted networks only, and investigate for compromise using available indicators such as anomalies in thin-scc-wrapper.log, including PostgreSQL UTF-8 byte-sequence errors. Given confirmed in-the-wild exploitation, unpatched exposed systems should be treated as potentially compromised until investigated.

Remediation

Patch, then assume compromise.

Apply BeyondTrust’s fixes for PRA and RS immediately. For affected on-premises deployments running version 24.3.1 or earlier, BeyondTrust advised applying patch BT24-10-ONPREM1 or BT24-10-ONPREM2 as appropriate. Customers on versions older than 22.1 must first upgrade to a supported newer product version before applying the patch. Cloud/SaaS instances were reported patched by BeyondTrust as of December 16, 2024. Because Rapid7 found the RS RCE path relied on PostgreSQL CVE-2025-1094, organizations should also ensure underlying PostgreSQL components are updated where applicable to fixed releases (17.3, 16.7, 15.11, 14.16, 13.19), although BeyondTrust’s product patch was reported to block exploitation in the BeyondTrust context.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BeyondtrustPrivileged Remote Accessapplication
BeyondtrustRemote Supportapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
securelistNews
Apr 16, 2026
The vulnerability landscape in Q1 2026 | Securelist

A command injection vulnerability in BeyondTrust software that permits unauthenticated malicious command execution.

Read more
secpod blogNews
Feb 23, 2026
Weaponizing CVE-2026-1731: VShell and SparkRAT in Real-World BeyondTrust Breaches - SecPod Blog

A previously exploited WebSocket input validation vulnerability (details not provided in the content) referenced as technically similar to CVE-2026-1731 and historically leveraged in intrusions attributed to Silk Typhoon/APT27/UNC5221/Emissary Panda.

Read more
the hacker newsNews
Feb 20, 2026
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration

An input validation vulnerability associated with third-party PostgreSQL usage in BeyondTrust context, referenced as previously exploited by China-nexus actors.

Read more
cyber security newsNews
Feb 20, 2026
Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT

An earlier BeyondTrust WebSocket-related input validation flaw referenced as a predecessor/related weakness to CVE-2026-1731, reported as exploited by Silk Typhoon (APT27) in the 2024 U.S. Treasury breach.

Read more
+17 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence13

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-12356
NVD
nvd.nist.gov/vuln/detail/CVE-2024-12356
MITRE CWE · CWE-88
cwe.mitre.org
Vendor Advisory
beyondtrust.com/trust-center/security-advisories/bt24-10
Third Party Advisory
attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12356