BeyondTrust Discloses Compromise Of Remote Support Software

The identity and access security vendor said that ‘a limited number of Remote Support SaaS customers’ were impacted in an attack this month.

Identity and access security vendor BeyondTrust disclosed that some customers of its remote support tool were impacted in a compromise this month.

BeyondTrust — which provides its Remote Support SaaS offering in addition to its core privileged access management offering — said in an advisory that a “limited number” of customers were affected.

[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]

The advisory did not specify whether any end customers served by the Remote Support SaaS tool were also impacted.

BeyondTrust said in the advisory that the attack began Dec. 2 when “potentially anomalous behavior” was detected.

“The anomalous behavior was confirmed on December 5th, 2024, and a limited number of impacted instances of Remote Support SaaS were identified,” the company said.

Further analysis “identified an API key for Remote Support SaaS had been compromised,” BeyondTrust said.

The API key was revoked and the company said it “notified known impacted customers, and suspended those instances the same day.”

In a statement provided to CRN Thursday, BeyondTrust said that its investigation is ongoing and includes assistance from third-party cybersecurity providers.

“At this time, BeyondTrust is focused on ensuring that all customer instances—both cloud and self-hosted—are fully updated and secure,” the company said. “Our priority remains supporting the limited number of customers impacted and safeguarding their environments.”

This week, BeyondTrust said its investigation led to the discovery of two vulnerabilities — one of which is rated as “critical” — affecting its products. Both are command injection flaws and affect BeyondTrust’s remote support software as well as its privileged remote access tools, the company said.

The critical-severity vulnerability (tracked at BT24-10) “can be exploited through a malicious client request,” BeyondTrust said on its page about the vulnerability. “Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user.”

Meanwhile, a second vulnerability (tracked at BT24-11) is rated at medium severity.

The flaw “can be exploited by a user with existing administrative privileges to upload a malicious file,” BeyondTrust said on its page about the vulnerability. “Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.”

Patches were applied on Monday for cloud customers, while on-premise customers are being urged to apply the provided patch for versions 24.3.1 and earlier of the tools.