CVE-2024-12356

CRITICAL KEV NUCLEI

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-12356 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 19, 2024. EIP tracks 2 public exploits from researchers including Harsh Jaiswal, Jonah Burgess (CryptoCat), sfewer-r7, including a Metasploit module exploits/linux/http/beyondtrust_pra_rs_command_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated remote code execution vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) by leveraging command injection via a WebSocket connection. It supports multiple CVEs, including CVE-2024-12356, and executes payloads with the privileges of the site user.

Description

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

Exploits (2)

metasploit WORKING POC EXCELLENT
by Harsh Jaiswal, Jonah Burgess (CryptoCat) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_command_injection.rb

This Metasploit module exploits an unauthenticated remote code execution vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) by leveraging command injection via a WebSocket connection. It supports multiple CVEs, including CVE-2024-12356, and executes payloads with the privileges of the site user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 24.3.1 and prior
No auth needed
Prerequisites: Network access to the target WebSocket endpoint · Target running a vulnerable version of BeyondTrust PRA/RS
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by sfewer-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb

This Metasploit module exploits an unauthenticated remote code execution vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 24.3.1 and below. It leverages a combination of argument injection (CVE-2024-12356) and SQL injection (CVE-2025-1094) to achieve RCE with the privileges of the site user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) <= 24.3.1
No auth needed
Prerequisites: Network access to the target system · Target running vulnerable version of BeyondTrust PRA/RS
devstral-2 · analyzed Feb 21, 2026 Full analysis →

Nuclei Templates (1)

Privileged Remote Access & Remote Support - Command Injection
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9386
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-12-19
VulnCheck KEV 2024-12-19
InTheWild.io 2024-12-19
ENISA EUVD EUVD-2024-50801
CWE
CWE-77
Status published
Products (2)
beyondtrust/privileged_remote_access < 24.3.1
beyondtrust/remote_support < 24.3.1
Published Dec 17, 2024
KEV Added Dec 19, 2024
Tracked Since Feb 18, 2026