A remote access management vulnerability has emerged in BeyondTrust appliances.
The security advisory is available to customers only, but security researcher Brian Krebs has obtained and published a copy.
BeyondTrust’s senior VP for product management Sam Elliott confirmed the vulnerability to iTnews.
“During a recent test, we discovered a critical security vulnerability that requires immediate attention from our customers exclusively running Remote Support versions 23.2.1 and 23.2.2, as well as Privileged Remote Access Versions 23.2.1 and 23.2.2,” Elliott said, both of which were released in the last three months.
The company remediated the bug “immediately”, he said.
“A patch is available and has been automatically deployed to our cloud customers, and to all on-premises customers who participate in our automatic critical update process.
“All impacted on-premises customers have been proactively contacted to install the available patch immediately.”
The bug has a CVSS score of 10, and according to the advisory posted by Krebs, it’s a command injection vulnerability that gives unauthenticated remote attackers the ability to “execute underlying operating system commands within the context of the site user”.
The company said it discovered the vulnerability during “standard code audits and penetration tests”.