BeyondTrust Discloses Zero-Day Breach Impacting 17 SaaS Customers Due to Compromised API Key

February 1, 2025

BeyondTrust, an American access management company, has recently completed an investigation into a cybersecurity incident that targeted its Remote Support Software as a Service (SaaS) instances. The breach was facilitated through a compromised API key and affected 17 of its SaaS customers. The threat actor used the API key to gain unauthorized access by resetting local application passwords.

The incident was first detected on December 5, 2024. BeyondTrust's investigation found that the breach was enabled by a zero-day vulnerability in a third-party application, which allowed the threat actor to gain access to an online asset in a BeyondTrust Amazon Web Services (AWS) account. The threat actor then used this access to obtain an infrastructure API key, which was then used against a separate AWS account that operated the Remote Support infrastructure.

BeyondTrust has not disclosed the name of the third-party application that was exploited to obtain the API key. However, the investigation did uncover two separate vulnerabilities in its own products, identified as CVE-2024-12356 and CVE-2024-12686. In response to the breach, BeyondTrust has revoked the compromised API key and suspended all known affected customer instances. The customers were also provided with alternative Remote Support SaaS instances.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2024-12356 and CVE-2024-12686 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. However, the exact details of the malicious activity are currently unknown.

In addition to BeyondTrust's customers, the U.S. Treasury Department also confirmed that it was one of the parties affected by the breach. No other federal agencies have been identified as impacted. The attacks have been attributed to a China-linked hacking group known as Silk Typhoon (formerly Hafnium). The U.S. Treasury Department has imposed sanctions against a Shanghai-based cyber actor named Yin Kecheng for his alleged involvement in the breach of the Treasury's Departmental Offices network.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.