Intelligent identity and access security provider BeyondTrust has concluded its investigation into a cybersecurity incident that targeted certain instances of its Remote Support Software-as-a-Service (SaaS) platform. The breach, first spotted on December 5, 2024, involved the use of a compromised API key to gain unauthorized access to 17 customer accounts. The company has since taken steps to mitigate the impact, including revoking the compromised key and suspending affected instances.
The breach was traced back to a third-party application vulnerability that allowed a threat actor to gain access to a BeyondTrust AWS account. From there, they obtained an infrastructure API key, which was then used to reset local application passwords and access Remote Support SaaS instances. BeyondTrust said no other products outside of its Remote Support SaaS were affected by the incident.
The investigation revealed two security flaws in BeyondTrust’s own products (CVE-2024-12356 and CVE-2024-12686) that were exploited in the attack. The US Cybersecurity and Infrastructure Security Agency (CISA) has added these CVEs to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.
The US Treasury Department confirmed it was one of the impacted entities, although no other federal agencies have been assessed to have been affected by the breach.