Overview
Two critical security vulnerabilities in BeyondTrust's privileged access management tools have been actively exploited in the wild, leading to a significant breach at the U.S. Treasury. The flaws include CVE-2024-12686 (CVSS: 6.6) and CVE-2024-12356 (CVSS: 9.8), both added to CISA's KEV catalog.## Whom it may concern* Federal agencies using BeyondTrust PRA/RS products* Security teams managing privileged access systems* Treasury department officials and stakeholders* Organizations potentially targeted by Silk Typhoon## Key Findings1. Two zero-day vulnerabilities exploited in BeyondTrust products2. Compromised API key identified and revoked by BeyondTrust3. Chinese state-sponsored group Silk Typhoon confirmed as threat actor4. Multiple Treasury offices targeted: OFAC, OFR, and CFIUS## Risk Analysis* Probability: High (active exploitation confirmed)* Impact: Critical (government systems compromised)* Attack Vector: Command injection via administrative privileges* Exposure Window: December 2024 - January 2025## Action Items* Implement patches by February 3, 2024* Review and rotate all API keys* Audit privileged access systems* Monitor for indicators of compromise* Implement additional access controls
