CVE-2024-12356: BeyondTrust PRA and RS Command Injection, Used to Breach the US Treasury
An unauthenticated command injection in BeyondTrust Privileged Remote Access and Remote Support, exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance used by the US Treasury Department in one of 2024's most significant breaches

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2024-12356 is a critical OS command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS), disclosed December 17, 2024. An unauthenticated attacker can send a crafted request to a vulnerable API endpoint and execute arbitrary operating system commands on the BeyondTrust server. The vulnerability was exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance used by a US Treasury Department vendor, resulting in unauthorized access to Treasury workstations and unclassified documents, one of the most significant U.S. government breaches of 2024.
Vulnerability Details: Unauthenticated API Command Injection
BeyondTrust Privileged Remote Access and Remote Support expose API endpoints for integrations with help desk ticketing systems, ITSM platforms, and automated workflows. CVE-2024-12356 exists in one of these API endpoints where user-supplied input is passed to an OS-level function without adequate sanitization.
An unauthenticated attacker can craft a request to the vulnerable endpoint with injected shell metacharacters or command separators, causing the BeyondTrust server to execute arbitrary OS commands with the privileges of the application process, typically a privileged service account with significant access to the underlying server and connected infrastructure.
The US Treasury Breach: How the Attack Unfolded
The US Treasury breach illustrates the supply chain dimension of PAM (Privileged Access Management) tool compromise:
BeyondTrust's Remote Support was used by a Treasury vendor to provide IT support to Treasury Department employees. The vendor's BeyondTrust SaaS instance was compromised via CVE-2024-12356. The attacker obtained the API key that BeyondTrust's Remote Support used to initiate remote desktop sessions on Treasury workstations.
With this API key, the attacker could:
- Initiate remote support sessions to Treasury employee workstations
- Access files and systems visible during those sessions
- Exfiltrate unclassified documents from the Treasury's Office of Foreign Assets Control (OFAC), the sanctions enforcement body
The Treasury notified Congress that the incident was attributed to a Chinese state-sponsored actor. Given OFAC's role in administering sanctions, including sanctions against Chinese entities, this targeting represents a high-priority intelligence collection objective.
Compromise BeyondTrust SaaS Instance via CVE-2024-12356
Unauthenticated attacker sends crafted request to the BeyondTrust Remote Support API endpoint with injected OS commands, achieving code execution on the BeyondTrust server.
Extract API Key for Remote Support Sessions
With code execution on the BeyondTrust server, attacker extracts the API key used by the vendor's Remote Support instance to initiate sessions with customer (Treasury) workstations.
Initiate Remote Sessions to Treasury Workstations
Using the stolen API key, attacker initiates Remote Support sessions to US Treasury Department employee workstations, appearing as a legitimate vendor support action from the BeyondTrust infrastructure.
Access and Exfiltrate Unclassified Documents
During remote sessions, attacker accesses files and systems visible to the workstations, focusing on OFAC (Office of Foreign Assets Control) systems containing sanctions-related documentation.
Discovery and Disclosure
BeyondTrust identified anomalous API activity and notified the Treasury vendor on December 8, 2024. Treasury notified CISA and the FBI. The breach was disclosed publicly in December 2024.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Why PAM Tool Compromise Is Exceptionally High-Impact
Privileged Access Management tools like BeyondTrust hold a uniquely dangerous position in enterprise security architecture:
- API keys for remote session initiation: A compromised BeyondTrust instance may hold API keys enabling remote access to hundreds or thousands of endpoints
- Session recording storage: PAM tools store recordings of privileged sessions, which may contain credentials entered during sessions
- Credential vaults: BeyondTrust PRA includes credential vaulting for privileged accounts, a compromised vault is a complete credential disclosure
- Trusted network position: PAM tools are explicitly trusted by network security controls to initiate privileged sessions, making their traffic difficult to distinguish from legitimate activity
A compromised PAM tool is effectively a master key to every system it manages.
Detection
Indicators for CVE-2024-12356 exploitation:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Priority steps:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2024-12356 demonstrates that PAM tools, the systems designed to protect privileged access, are themselves extremely high-value targets. Compromising BeyondTrust didn't require attacking the Treasury directly; it required compromising a trusted vendor's tool with a privileged session-initiation capability. Third-party PAM tool security must be held to at least the same standard as the systems they protect. API keys with session-initiation capability should be treated with the same sensitivity as domain admin credentials, any exposure warrants immediate rotation and comprehensive audit.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2024-12356?
CVE-2024-12356 is a critical OS command injection vulnerability in BeyondTrust Privileged Remote Access and Remote Support that allows an unauthenticated remote attacker to inject and execute arbitrary operating system commands via a vulnerable API endpoint. CVSS score is 9.8.
How was CVE-2024-12356 used to breach the US Treasury?
A Chinese state-sponsored actor compromised a BeyondTrust SaaS instance using CVE-2024-12356. BeyondTrust's Remote Support product was used by the US Treasury's vendor to provide IT support, the compromised instance gave the attacker access to the API key used to remotely access Treasury employee workstations, leading to the breach of unclassified Treasury systems including OFAC.
Does CVE-2024-12356 affect BeyondTrust cloud (SaaS) customers?
Yes. The Treasury breach involved a BeyondTrust SaaS instance, confirming the vulnerability affected cloud deployments. BeyondTrust patched SaaS instances before releasing guidance for self-hosted customers. Both deployment models were vulnerable.
Is CVE-2024-12356 related to CVE-2024-12686 (the second BeyondTrust CVE)?
BeyondTrust disclosed a second vulnerability, [CVE-2024-12686](https://nvd.nist.gov/vuln/detail/CVE-2024-12686), in January 2025, a medium-severity flaw requiring existing admin credentials. CVE-2024-12356 is the critical pre-authentication vulnerability. Both were identified in the context of the same incident investigation.
Why is compromising a PAM tool like BeyondTrust worse than compromising a single server?
A Privileged Access Management tool sits at the center of an organization's privileged access infrastructure and holds the keys to every system it manages. Compromising BeyondTrust Remote Support specifically can yield: API keys for initiating remote desktop sessions on any managed endpoint; session recordings that may contain credentials entered during past sessions; credential vault contents if BeyondTrust PRA's vaulting feature is used; and a trusted network position where remote access sessions originating from the BeyondTrust server are explicitly permitted by firewall rules and trusted by endpoint security. The Treasury breach demonstrated that a vendor's BeyondTrust instance can be leveraged as a stepping stone to reach the vendor's customers, converting a single vendor compromise into access to dozens of customer environments.
What is OFAC and why was it the target in the Treasury breach?
OFAC (Office of Foreign Assets Control) is the US Treasury Department office responsible for administering and enforcing economic and trade sanctions against foreign countries, entities, and individuals. OFAC designates which foreign companies, individuals, and governments are subject to US sanctions, and maintains the Specially Designated Nationals (SDN) list that US persons are prohibited from transacting with. For a Chinese state-sponsored actor, access to OFAC systems is an exceptionally high-value intelligence target: understanding which Chinese entities are under current or pending sanctions investigation, which individuals are being designated, and what the Treasury's enforcement strategy is provides strategic and tactical intelligence of significant national security value to the Chinese government.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
