Critical Command Injection Vulnerability in BeyondTrust Remote Support and Privileged Remote Access
Target Industry
Indiscriminate, opportunistic targeting.
Overview
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical BeyondTrust Remote Support and Privileged Remote Access vulnerability, CVE-2024-12356, to its Known Exploited Vulnerabilities (KEV) Catalogue. CVE-2024-12356 has been assigned a CVSS 3.1 score of 9.8, categorising it as a critical vulnerability. The vulnerability in BeyondTrust’s Remote Support and Privileged Remote Access products allows an unauthenticated attacker to inject commands which are run as a site user.
Impact
This vulnerability allows attackers to execute underlying Operating System commands, via a command injection vulnerability, using malicious client requests. Having a CVSS v3.1 base score of 9.8, this vulnerability is classified as critical.
Vulnerability Detection
BeyondTrust has released patches for Remote Support and Privileged Remote Access to address this vulnerability. Privileged Remote Access version 24.3.1 and earlier, and Remote Support version 24.3.1 and earlier are vulnerable.
Exploitation
The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list.
Containment, Mitigations & Remediations
BeyondTrust applied a patch to all cloud users’ instances as of 16th December 2024 that remediates this vulnerability.
The patch was also pushed to on-premises users who are subscribed to automatic updates in their appliance interface. However, we recommend customers confirm this patch has been installed.
We strongly recommend all other on-premises users install the relevant patches as soon as possible as this vulnerability is under active exploitation.
For Privileged Remote Access, patch BT24-10-ONPREM1 or BT24-10-ONPREM2 should be implemented, dependent on the Privileged Remote Access version.
For Remote Support, patch BT24-10-ONPREM1 or BT24-10-ONPREM2 should be implemented, dependent on Remote Support version.
Users on versions older than version 22.1 will need to update to a newer version to implement these patches.
Threat Landscape
BeyondTrust is a major provider of a range of products including remote access and access management solutions. Remote Support is a remote access solution allowing service desks to remotely connect to Windows, Linux, macOS, Chrome OS, iOS, and Android devices. Privileged Remote Access provides control, management, and auditing of privileged accounts and credentials to ensures zero-trust access to both on-premises and cloud resources for internal, external, and third-party users. BeyondTrust has customers in a range of industries including, but not limited to, government, healthcare, financial services, energy, technology, and education.
Top Three Ways Your Organisation Can Stay Cyber-Safe this Christmas
Strengthen your cyber security for the festive season
As the festive season approaches more people will start logging off work for Christmas and that includes cyber security professionals who need a well-earned break. But cybercriminals know that when organisations are understaffed or team members have their minds on other things, that’s the perfect time to strike.
So, what can organisations do to prepare for this two- or three-week stretch when they might be more vulnerable than usual? As always, having excellent cyber hygiene in place is the best policy to reduce the chances of a cyber-attack getting through your defences. Good preparation is essential to get your organisation in the best possible shape in case the worst does happen.
By doing the basics brilliantly, you’ll go a long way to reducing the chances of succumbing to a cyber incident because financially motivated criminals preferably want easier targets with a low risk of being caught and a high reward. Making your defences difficult to get through should deter them. That said, you need to prepare for the worst-case scenario.
Here is our advice on the top three sets of actions to take to get ready for the festive season:
- Before a cyber incident
- Implement strong password policies: use complex, unique passwords and enable multi-factor authentication (MFA)
- Regularly update software: keep all systems and software up to date with the latest security patches
- Employee training: train employees on cyber security awareness and best practices
- Data backup and recovery: back up critical data and ensure backups are secure and easily recoverable
- Incident response plan: prepare a well-documented incident response plan, test it, and have it to hand as a paper copy
- Be extra cautious with emails: cybercriminals often use phishing emails that look like they come from legitimate sources; be wary of any email that asks for personal information or contains links and attachments, or presses you to act urgently.
- During a cyber incident
- Incident response plan: run through your plan as you practised before the day
- Containment: contact cyber security experts to manage the incident and isolate affected systems to prevent the attack from spreading
- Communication: establish clear communication protocols to inform relevant internal and external stakeholders, and your cyber insurance company
- Monitor for further threats: keep a close watch on your network for any signs of additional threats or suspicious activity.
- After a cyber incident
- Post-incident analysis: conduct a thorough review to understand the cause and impact of the incident
- Improve security measures: update security policies and controls based on lessons learned from the incident
- Review and update policies: ensure all cyber security policies are up to date and reflect the latest best practices and regulatory requirements
- Enhance monitoring and detection: Invest in advanced monitoring tools, such as Clarity Defend, Clarity Extend or Clarity Protect, to detect suspicious activities early and respond promptly.
What to do in the event of a cyber-attack
If you’ve been hit by a cyber-attack, you need to move fast. Follow these crucial Cyber Incident Responder’s dos and don’ts to help you take the correct immediate actions and know what to avoid.
By embracing these essential guidelines, you can turn potential cyber chaos into a well-orchestrated response, and navigate digital threats with confidence and precision throughout this holiday season.
If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on +44 333 444 0041 (UK) or +1-813-896-0496 (US) and we’ll help you right away.
Discover more about Quorum Cyber
Our Security Operations Centre (SOC) team, which spans the UK and North America, holds the fort 24/7, 365 days a year, including Christmas Day and New Year’s Day. We know that cybercriminals never rest – so neither do we. Our sole purpose is to protect organisations in any sector every minute of every day.
Get in touch if you would like to discuss how we can minimise the chances of a cyber incident damaging your business – every day of the year.
Proof of Concept Released for Critical RegreSSHion Vulnerability
Overview
The name RegreSSHion refers to a vulnerability tracked as CVE-2024-6387 within OpenSSH that enables remote code execution and potentially grants attackers root privileges on servers running the OpenSSH server. It was uncovered by the Qualys Threat Research Unit in May 2024.
RegreSSHion presents in every version of OpenSSH stretching from 8.5p1 through to 9.7p1. A fix was delivered on the day of publication in 9.8p1. At the time of publication, Qualys reported that 14 million publicly accessible OpenSSH instances could have been exposed to this threat. Responsible disclosure was practiced allowing OpenSSH contributors to develop a fix before the vulnerability was published to the public. Readers should note that Linux systems using the GNU C library – commonly referred to as glibc – as its standard C library were impacted. This leaves all other platforms invulnerable to RegreSSHion at the time of writing.
Technical Overview
A race condition in sshd’s (OpenSSH server component) signal handler sits at the core of the RegreSSHion vulnerability. Exploitation occurs when an SSH client fails to authenticate within the configured login grace period. Once the timeout occurs, sshd’s signal handler is invoked asynchronously. Functions exist within this handler that are not async safe and introduce a race condition. This vulnerability is a regression of an older vulnerability tracked as CVE-2006-5051 present in OpenSSH versions 4.4p1 and below introduced by targeting the free() function asynchronously. By removing a crucial condition that had mitigated the earlier vulnerability, CVE-2024-6387 was introduced instead targeting free() and malloc().
Impact
RegreSSHion (CVE-2024-6387) poses a critical risk to organisations running OpenSSH versions 8.5p1 through 9.7p1. By exploiting the race condition in sshd’s signal handler, attackers can execute arbitrary code remotely and potentially escalate their privileges to root on affected servers. The scope of this vulnerability is significant, as Qualys
estimated that 14 million publicly accessible OpenSSH instances were at risk when the vulnerability was disclosed.
It is important to note that only Linux distributions using the GNU C Library (glibc) are currently affected. Other platforms, which do not rely on glibc, are not impacted by RegreSSHion. Nonetheless, because OpenSSH is commonly used to administer systems remotely, a successful exploit could allow attackers to fully compromise a target server, steal sensitive data, install persistent backdoors, or move laterally across a network. Organisations using vulnerable versions of OpenSSH are therefore urged to update to OpenSSH 9.8p1 or later as soon as possible.
Vulnerability Detection
OpenSSH versions 8.5p1 through 9.7p1 are likely to contain the RegreSSHion vulnerability. However, many Linux distributions backport security patches into older versions, so merely comparing upstream OpenSSH version numbers is not a reliable way to determine whether RegreSSHion is present. In such cases, it is essential to consult the distribution’s documentation and changelogs to confirm whether the packaged OpenSSH application is vulnerable.
Exploitation
Exploitation of RegreSSHion requires some effort with exploitation attempts potentially leaving an audit trail. Vulnerabilities introduced by race conditions can typically require multiple exploitation attempts before the desired outcome of the race condition is achieved, and RegreSSHion is no exception.
This bulletin comes after a proof-of-concept exploit was released which could increase the accessibility of this exploit and administrators should expect more exploitation attempts since the proof-of-concept was released.
Despite the discovery of the vulnerability dated around July 2024, the vulnerability was introduced into OpenSSH in October 2020 where it remained vulnerable until disclosure.
Containment, Mitigations & Remediations
Administrators should apply patches as soon as possible to the OpenSSH application if they suspect they are vulnerable. Additionally, where patching remains difficult, it is possible to modify the login grade period to 0. However, this opens up OpenSSH servers to denial-of-service attacks and should only be considered as a temporary workaround.
Additional Information
Here is the GitHub commit that re-introduced the vulnerability.
upstream: revised log infrastructure for OpenSSH · openssh/openssh-portable@752250c · GitHub
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Vulnerabilities
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Ivanti has rolled out an update to mitigate a critical vulnerability and a high-severity flaw within Ivanti Connect Secure, Policy Secure, and ZTA Gateways. The critical vulnerability, identified as CVE-2025-0282, could potentially allow unauthenticated remote code execution if successfully exploited. Additionally, the high-severity vulnerability, CVE-2025-0283, could enable a local authenticated attacker to escalate privileges.
Impact
If the vulnerability CVE-2025-0282 is successfully exploited, an attacker could execute arbitrary code on the affected system, potentially leading to complete system compromise. This could result in unauthorised access to sensitive data, system modifications, or service disruptions. The network attack vector and lack of user interaction required increase the risk of widespread exploitation.
The privilege escalation vulnerability identified as CVE-2025-0283, although requiring authenticated local access, can grant full administrative rights to an attacker, enabling them to conduct malicious configurations or inject harmful code.
Vulnerability Detection
The following products and versions are affected:
· Ivanti Connect Secure versions prior to 22.7R2.5
· Ivanti Policy Secure versions prior to 22.7R1.2
· Ivanti Neurons for ZTA Gateways versions prior to 22.7R2.3
Exploitation
There is no evidence that a public proof-of-concept exists for CVE-2025-0282 and CVE-2025-0282. The vulnerability CVE-2025-0282 is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. CVE-2025-0282 impacts the same versions as CVE-2025-0282 but has not been observed in exploitation.
Containment, Mitigations & Remediations
- Ivanti Connect Secure: Upgrade immediately to version 22.7R2.5 to mitigate this vulnerability
- Ivanti Policy Secure: A patch is scheduled for release on 21st January 2025. Ivanti strongly advises ensuring the product is not exposed to the internet and configured per best practices
- Neurons for ZTA Gateways: The fix will be available on 21st January 2025. The risk is mitigated when the gateway is connected to a ZTA controller.
Indicators of Compromise
No indicators of compromise (IoCs) are available currently.
Threat Landscape
Ivanti’s products, including Connect Secure and Policy Secure, are widely deployed in enterprise environments across various sectors, including government, healthcare, financial services, energy, and education. These solutions enable secure remote access and support for zero-trust access frameworks, making them high-value targets for cyber attackers.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Further Information
1. https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways#new_tab
2. https://socradar.io/ivanti-zero-day-in-connect-secure-sonicwall-ssl-vpn/
3. https://nvd.nist.gov/vuln/detail/CVE-2025-0282
4. https://nvd.nist.gov/vuln/detail/CVE-2025-0283
5. https://www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways
Quorum Cyber Continues Expansion in North America with Kivu Consulting Acquisition
Quorum Cyber expands its Incident Response capabilities by adding digital forensics, business restoration, and ransom negotiations to its service catalogue with the acquisition of the U.S. based company.
Quorum Cyber – headquartered in the U.K., with offices across North America – today announced the acquisition of Kivu Consulting Inc, a leading global cybersecurity firm specialising in Incident Response.
The strategic move bolsters Quorum Cyber’s rapid global expansion, as it comes just months after it acquired Difenda, a North American company that specializes in Microsoft Security Managed Services.
Founded in 2009, Kivu Consulting Inc, or ‘Kivu’, is a trusted partner in the global insurance, legal, and government sectors. The company is a leader in digital forensics, cyber incident response, business restoration, and ransom negotiations. Since its inception, Kivu has helped define the market for response, managed, and advisory services to protect organisations against compromised data, theft of trade secrets, and unauthorised access to data.
Kivu holds established relationships in over 40 Insurance and Legal panels across the U.S. and the U.K. This transformative acquisition not only rapidly expands Quorum Cyber’s presence within these industries, but also provides a robust foundation to strengthen its alliances and cement its status as a premier global threat management firm, renowned for its exceptional incident response capabilities.
In addition, the acquisition of Kivu enables Quorum Cyber to deliver its market-leading threat management services from three operations centers in the U.S., the U.K., and Canada to its customers worldwide.
Federico Charosky, CEO and Founder of Quorum Cyber, stated, “We are incredibly excited to welcome Kivu to Quorum Cyber. Kivu’s reputation for excellence and its strong history in incident response perfectly complement Quorum Cyber’s capabilities”.
Charosky continued, “The integration of Kivu’s stellar incident response teams and U.S.-based SOC, together with Quorum Cyber’s existing U.K., U.S. and Canadian operations, enables us to provide unparalleled 24/7 security coverage. This transaction highlights our rapid growth among incident response and threat management providers globally, reinforcing our commitment to delivering exceptional cybersecurity solutions, throughout North America, the U.K., and beyond.”
Shane Sims, Chief Executive Officer at Kivu, commented, “For the past 15 years, Kivu has leveraged its talent and forensic labs in the U.S. and U.K. to deliver threat intelligence-driven cybersecurity outcomes across every continent, serving organisations in all industries. Our success has been built on trusted partnerships with leaders in insurance, legal, technology, and government – all sharing the same goal of fighting cybercrime. Our acquisition by Quorum Cyber represents a strategic alignment with an organisation and team that share our mission, vision, and core values, while immediately scaling our team, capabilities, and services in a big way. This is a natural next step for Kivu, and I am excited about what it means for our employees, clients, and trusted partners.”
Quorum Cyber’s back-to-back acquisitions of Kivu Consulting and Difenda underscore its aggressive growth strategy across North American and U.K. markets. Bolstered by ongoing support from investors, Charlesbank Capital Partners and Livingbridge, the two acquisitions equip Quorum Cyber with the resources to strategically expand its service offerings and customer reach. The integration of Kivu’s incident response expertise and connections, coupled with Difenda’s managed services capabilities, marks a significant step in Quorum Cyber’s mission of asserting its market presence globally.
Piper Sandler & Co. served as exclusive financial advisor to Kivu, and Mintz and Lowenstein Sandler served as legal advisors to Quorum Cyber.
Critical Apache Struts File Upload Vulnerability
Overview
A critical severity vulnerability in Apache Struts with a CVSS version 4.0 score of 9.5 has been reported under CVE-2024-53677.
A flaw in the file upload logic of Apache Struts can allow attackers to manipulate file upload parameters to enable path traversal, thus potentially allowing them to upload files to restricted directories or perform Remote Code Execution.
Impact
This vulnerability can be exploited to allow an attacker to upload malicious payloads which could then be used to run malicious commands, download additional malicious packages, or access and exfiltrate confidential data.
Vulnerability Detection
Apache has released a security update addressing the security flaw. Struts 2.0.0 through Struts 2.3.37 (EOL), Struts 2.5.0 through Struts 2.5.33 (EOL), and Struts 6.0.0 through Struts 6.3.0.2 are affected if using File Upload Interceptor.
Exploitation
Multiple instances of malicious activity matching the publicly available Proof of Concept have been reported.
Containment, Mitigations & Remediations
We recommend all users of vulnerable versions update to Struts 6.4.0 or later and migrate from File Upload Interceptor to the newer Action File Upload ASAP.
Please note that Action File Upload is not backwards compatible with your old actions written for File Upload Interceptor, and these will need to be rewritten, however continuing to use File Upload Interceptor will leave you vulnerable to this attack.
There is no known workaround at this time.
Threat Landscape
Apache Struts is a free, open-source web framework for developing Java web applications. It is integral to many corporate IT systems, used in public-facing portals, internal productivity tools, and many business-critical processes. Due to its widespread use in crucial environment exploitation could have significant and far-reaching consequences.
Tactics, Techniques and Procedures
Persistence:
Credential Access:
Collection:
Further Information
2024: A Game-changing Year for Quorum Cyber
Since its inception in Edinburgh in 2016, Quorum Cyber has flourished into an international cyber security leader with a team spanning the UK, Canada, the US, and the Middle East. Today, over 350 team members provide a comprehensive range of managed and professional cyber security and data security services protecting hundreds of private, public, and not-for-profit customers around the globe.
In 2024, the company achieved several major milestones on its mission to creating a safer digital world, where good people win against cybercriminals.
Acquisition of Difenda
In September, Quorum Cyber announced arguably the most notable news in its eight-year history: the acquisition of Difenda, a Canada-headquartered, full-stack Microsoft Security managed services company. This strategic move underscores Quorum Cyber’s growth momentum and strengthens its global position as a leader of Microsoft Security services. Customers now have access to an unrivalled range of end-to-end cyber security services delivered by an international team of over 330 highly qualified experts.
In another major milestone, Charlesbank, a US-based private equity firm with an outstanding track record, injected fresh investment into Quorum Cyber in June. This partnership propels Quorum Cyber’s drive to elevate existing services while offering exciting and innovative new services to its global customer base.
With the backing of its investors, from December 31st, 2023, to December 31st, 2024, Quorum Cyber increased its revenue run rate from £21.6 million to £31.3 million and its recurring customer numbers from 101 to 156, rises of 45% and 54% respectively.
Revamping managed security services – and launching new ones
In the second half of 2024, Quorum Cyber revamped its range of managed services to help defend organisations of any size in any sector – wherever they are on their cyber security journey. Titled Clarity Defend, Clarity Extend, Clarity Protect, and Clarity Data, our range of managed security services help to safeguard organisations from the ever-evolving threat landscape.
Quorum Cyber also released a Cyber Resilience Assessment to give customers a deep understanding of their current cyber security posture and exposure to risk. As a threat-led cyber security leader, it also recruited a dedicated Threat Hunting team to proactively hunt cyber threats to stop threat actors in their tracks.
New awards and accolades
In March, Microsoft announced that Quorum Cyber was a double-award finalist for its Security MSSP of the Year and Security Customer Champion awards in the Microsoft Security Excellence Awards. This was the second year running that Quorum Cyber made the final round for two Microsoft Excellence Awards, having reached the final of Security Services Innovator and Security Changemaker in 2023.
Further boosting its credentials with Microsoft, in November it was awarded the Microsoft Information Protection and Governance specialization, which validates it as a leading partner for data security and Microsoft Purview related services. Quorum Cyber now holds three Microsoft Security specialisations: Threat Protection, Cloud Security, and Information Protection and Governance.
And earlier in the year, Quorum Cyber was proud to announce its new status as a Microsoft FastTrack-ready partner. This designation made it a premier provider of security solutions, offering unmatched expertise in the deployment and management of Microsoft security technologies.
In October, MSSP Alert, a leading online resource focused on managed security services providers (MSSPs) and the broader cyber security ecosystem, placed Quorum Cyber in its annual MSSP league table. Quorum Cyber rose nine places from 2023 and almost 100 places since 2022. Recent acquisition, Difenda, was also included in the league table.
Closing out the year, Quorum Cyber was named a national winner of the British Private Equity and Venture Capital Association’s Vision Awards, a testament to the company’s exceptional growth performance. The judges commended its competitiveness, innovation, and environment, social, and governance (ESG) principles.
Recognised and respected services
Another huge win for Quorum Cyber in 2024 was Gartner naming it in its 2024 Market Guide for Managed Detection and Response. The guide provides in-depth studies, best practices, and trend analysis to improve business performance. As one of only two named UK vendors, Gartner recognised Quorum Cyber as being:
- Consistently visible to Gartner clients
- Variable in size and distribution as to reflect the buying population
- Having a clear end-user and outcome-focused offering distinct from pure technology-driven offerings.
This was a huge testament to Quorum Cyber’s position in the managed detection and response (MDR) market.
In March, Quorum Cyber brought together 90 of its closest customers from a wide range of sectors together with representatives from Microsoft in Edinburgh for Quorum Cyber Summit. With the theme, ‘Navigating the Future of Cyber Security Together’, the Summit enabled cyber security professionals to learn from Quorum Cyber’s experts, network, and share ideas and solutions with peers, and hear the latest developments from Microsoft.
Intelligence breakthroughs and fresh thought leadership
In terms of content and threat intelligence research, Quorum Cyber was on fire this year, releasing new papers and thought leadership which garnered broad international coverage.
At the start of the year, the company launched its second annual Threat Intelligence Outlook report to provide a strategic overview of developing cyber threats, where they originate from, why, and how they are likely to surface and manifest throughout the calendar year. The report was widely received as a valuable source of key insights into geopolitics and its link to cybercriminals and cyber-attacks, and for its useful sector-specific threat intelligence for organisations worldwide. The Threat Intelligence Outlook 2024 will be followed in January by the Quorum Cyber Global Cyber Risk Outlook Report 2025.
In the summer, Quorum Cyber discovered a new malware variant, dubbed SharpRhino. This cyber intelligence breakthrough into a criminal gang’s tactics and techniques attracted a lot of publicity in the international cyber security community. News of the discovery of a new remote access trojan (RAT) used by notorious cybercrime group Hunters International to breach corporate networks was publicised on over 25 cyber security and intelligence websites in North America and the UK.
The company launched its whitepaper, Transforming Security Spending: A Forward-Looking Guide for CISOs, looking at the myriad challenges that Chief Information Security Officers (CISOs) face today and offers a better way for them to manage budgets while strengthening their organisation’s cyber security and cyber resilience.
It also published a follow-up whitepaper, Mastering Cost Management and Reduction: A Guide for Chief Information Security Officers in Higher Education, which considers practical cost management tactics tailored to leaders in Higher Education.
Ready to help you win 2025
After a trailblazing 2024, the work doesn’t stop there. As an award-winning Microsoft Solutions Partner for Security – equipped with over 300 cyber security professionals in Europe and North America – Quorum Cyber has the expertise, experience, scale, and reach to defend and protect any organisation in any sector before, during, and after any kind of cyber incident anywhere in the world.
Contact us to discuss how we can help you win in 2025.
