On the same day, the company suspended the affected Remote Support SaaS instances and provided alternative solutions to its customers.

BeyondTrust has since patched vulnerabilities across all cloud instances automatically, though users with self-hosted instances must apply updates manually.

The investigation revealed two vulnerabilities: CVE-2024-12356, a critical command injection flaw with a severity score of 9.8, and CVE-2024-12686, a medium-severity flaw identified shortly after the attack.

CVE-2024-12356 allows unauthenticated remote attackers to execute operating system commands, while CVE-2024-12686 enables attackers with admin privileges to inject commands and upload malicious files.

Although it is possible that these vulnerabilities were exploited during the attack, BeyondTrust has not confirmed their active exploitation in its advisories.

Ongoing investigations into the security incident are expected to yield further updates from BeyondTrust as more information becomes available.

BeyondTrust primarily serves large enterprises, government agencies, and financial institutions with its cloud-hosted solutions for secure remote support.

The company discovered and patched the vulnerabilities shortly after the attack, although they were not believed to have been exploited.

BeyondTrust, a cybersecurity company specializing in Privileged Access Management, identified a cyberattack in early December 2024 after detecting anomalous behavior on its network.

The attack, which was confirmed on December 2, involved the compromise of Remote Support SaaS instances, allowing hackers to gain access to a critical API key.

This compromised API key enabled the attackers to reset passwords for local application accounts, posing a significant security risk.

In response, BeyondTrust revoked the compromised API key and notified affected customers on December 5, 2024.