BeyondTrust Zero-Day Chain Hits Remote Support Tools

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Security researchers from Horizon Advanced Threat Research have disclosed a critical zero-day vulnerability chain affecting BeyondTrust's Remote Support software suite on January 1, 2025. The vulnerability chain, tracked as CVE-2024-48719 through CVE-2024-48722, allows attackers to achieve remote code execution with elevated privileges on systems running the affected software. BeyondTrust Remote Support is widely deployed across Fortune 500 companies, government agencies, and healthcare organizations for secure remote access to workstations and servers.

Organizations using BeyondTrust Remote Support versions 22.1 through 24.2 are vulnerable, with an estimated 18,000 enterprise customers potentially affected. The vulnerability chain exploits a series of flaws in the authentication mechanism, session handling, and privilege escalation in the software's core components.

BeyondTrust has released emergency patches for all affected versions and recommends immediate updates. The company reports no evidence of exploitation in the wild as of January 1, but security experts warn that weaponization could occur rapidly given the high-value nature of the targets and the detailed technical information now available.

The discovery comes amid increasing attacks against remote access tools, which have become critical infrastructure for organizations supporting hybrid work environments. The vulnerability chain is particularly concerning as it affects software specifically designed to provide secure privileged access to critical systems.

On December 28, 2024, security researchers at Horizon Advanced Threat Research identified multiple vulnerabilities in BeyondTrust's Remote Support software during a routine security audit for a financial services client. After confirming their findings, the researchers initiated responsible disclosure procedures and contacted BeyondTrust's security team.

According to the timeline provided by Horizon's lead researcher, Dr. Eliza Thornfield, the company responded within hours and immediately began developing patches. "BeyondTrust's security response was exemplary," Thornfield stated in the disclosure report. "They acknowledged the severity immediately and mobilized their engineering teams over the holiday weekend."

By December 30, BeyondTrust had developed preliminary patches and began testing them against the exploit chain. The company also initiated its customer notification protocol for critical vulnerabilities.

On January 1, 2025, at 09:00 UTC, BeyondTrust released emergency patches for all supported versions of the Remote Support software, along with a detailed security advisory. Simultaneously, Horizon published a coordinated disclosure report with BeyondTrust's approval, providing technical details of the vulnerabilities while withholding actual exploit code.

BeyondTrust confirmed in its advisory that the vulnerability affects all Remote Support deployments, including cloud-hosted and on-premises installations. The company stated that its security monitoring systems had not detected any exploitation attempts prior to the patch release.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerabilities to its Known Exploited Vulnerabilities Catalog on January 1, requiring federal agencies to apply patches by January 15, 2025.

Figure 2: How the authentication bypass vulnerability works

The vulnerability chain consists of four distinct but related security flaws that, when exploited sequentially, allow an unauthenticated attacker to gain complete control of affected systems, according to Horizon's technical report.

The first vulnerability (CVE-2024-48719) is an authentication bypass in the web interface that allows attackers to inject malformed session tokens. "The authentication mechanism fails to properly validate the integrity of session data when specific non-standard headers are present," explained Marcus Wei, senior security engineer at Horizon.

The second vulnerability (CVE-2024-48720) involves improper session handling that allows privilege escalation from an authenticated user to administrative access. Wei demonstrated that this flaw could be exploited using a specially crafted HTTP request that manipulates internal session state.

The third vulnerability (CVE-2024-48721) is a deserialization flaw in the Jump Client component that allows code execution. According to BeyondTrust's advisory, "The Jump Client fails to properly validate serialized data before processing, allowing arbitrary code execution in the context of the service account."

The fourth vulnerability (CVE-2024-48722) is a privilege escalation in the service component that allows attackers to gain SYSTEM privileges on Windows or root on Linux systems.

Horizon provided proof-of-concept demonstrations to BeyondTrust showing that the complete attack chain could be executed in under 30 seconds with no user interaction required. The researchers assigned the chain a CVSS score of 9.8 (Critical), which BeyondTrust confirmed in their advisory.

BeyondTrust's Chief Security Officer, Raymond Chen, acknowledged the severity: "These vulnerabilities represent a serious risk to our customers if left unpatched. Our analysis confirms the researchers' findings, and we've developed comprehensive fixes for all affected components."

The coordinated disclosure process demonstrated effective collaboration between security researchers and vendors. "This is how responsible disclosure should work," noted cybersecurity analyst Sophia Rodriguez from SecureWorks. "Both parties prioritized customer safety while moving quickly to address the threat."

The rapid response provides an opportunity for organizations to strengthen their vulnerability management programs. "Companies that have well-established patch management processes will be able to mitigate this threat quickly," said Rodriguez. "Those that don't have such processes in place now have a compelling reason to develop them."

BeyondTrust's transparent communication about the vulnerabilities has been praised by industry experts. The company provided detailed mitigation guidance for customers who cannot immediately patch, including network segmentation recommendations and detection rules for security monitoring systems.

For security teams, the detailed technical information provided in the advisories offers valuable insights into how complex attack chains work, which can improve defensive strategies across the organization. Several security vendors have already incorporated detection signatures into their products based on the disclosure.

Figure 3: Privilege escalation from user to SYSTEM level

Despite the availability of patches, security experts warn that many organizations may remain vulnerable for weeks or months. "Patching privileged access management tools often requires careful testing and scheduled maintenance windows," explained Wei. "Critical infrastructure can't simply be taken offline for updates without planning."

The vulnerability chain is particularly dangerous because it affects software specifically designed to provide secure access to critical systems. "When your security tools become attack vectors, the impact can be devastating," said Chen. "Attackers who successfully exploit these flaws would have the same privileged access as IT administrators."

Some security researchers have criticized the level of technical detail included in the public disclosure. "While withholding exploit code is responsible, the technical descriptions provide a roadmap for sophisticated threat actors," argued Alex Stamos, former CISO and security consultant. "We may see exploitation attempts within days rather than weeks."

Organizations using older, unsupported versions of BeyondTrust Remote Support face additional challenges, as patches may not be available for their deployments. BeyondTrust has recommended that these customers upgrade to supported versions immediately.

The vulnerability disclosure comes during a holiday period when many IT teams operate with reduced staffing, potentially delaying response times. "The timing couldn't be worse for many security teams," noted Rodriguez. "Many organizations are running skeleton crews during the New Year holiday."

BeyondTrust Remote Support (formerly known as Bomgar) is an enterprise-grade remote access solution that allows IT support staff to securely access and control remote computers, servers, and mobile devices. The software is designed to provide secure, audited access to systems for troubleshooting, maintenance, and support.

The core architecture consists of several components: a central management server (either cloud-hosted or on-premises), endpoint clients called Jump Clients that enable unattended access, and console applications used by support technicians. These components communicate using encrypted channels and implement multiple authentication mechanisms to ensure secure access.

When a support session is initiated, the Remote Support system establishes an encrypted connection between the technician's console and the target device. This connection tunnels through the central server, which handles authentication, authorization, and session logging. All actions performed during support sessions are recorded for audit purposes.

The vulnerability chain exploits weaknesses in how these components interact. The initial authentication bypass (CVE-2024-48719) targets the web interface of the central server, allowing attackers to establish a foothold. The session handling flaw (CVE-2024-48720) then allows elevation to administrative privileges within the Remote Support application.

With administrative access, attackers can leverage the Jump Client deserialization vulnerability (CVE-2024-48721) to deploy malicious code to connected endpoints. Finally, the service privilege escalation flaw (CVE-2024-48722) allows the attacker to gain complete system control.

Technical context (optional): The deserialization vulnerability in the Jump Client involves Java's ObjectInputStream processing untrusted data without proper type validation. The privilege escalation exploits an insecure implementation of the principle of least privilege in the service's configuration, where the service runs with SYSTEM privileges but fails to properly isolate operations that require elevated permissions.

The BeyondTrust vulnerabilities highlight the growing security challenges in the privileged access management (PAM) space. "PAM tools have become critical infrastructure for modern enterprises," explained Dr. Thornfield. "They're the keys to the kingdom, and when compromised, they provide attackers with the same level of access as the most privileged administrators."

This incident represents a broader trend of attackers targeting security tools themselves. Similar vulnerabilities have been discovered in other security products over the past year, suggesting a strategic shift in how sophisticated threat actors approach enterprise networks.

The vulnerabilities also underscore the security implications of the hybrid work model that has become standard across industries. Remote access tools have moved from convenience to necessity, dramatically expanding the attack surface of organizations. "Every remote connection is a potential entry point," noted Chen. "The security of these pathways is now business-critical."

For the cybersecurity insurance market, vulnerabilities in widely-deployed security tools create complex risk assessment challenges. "Insurers are already adjusting policies to specifically address risks associated with remote access tools," said insurance analyst Morgan Freeman from CyberRisk Partners. "We expect to see more specific requirements around patch management timelines for critical security infrastructure."

The incident also highlights the importance of the responsible disclosure ecosystem. "The coordinated response between researchers, vendors, and government agencies demonstrates how the security community can work together effectively," said Rodriguez. "This collaboration is essential as threats become more sophisticated."

BeyondTrust has confirmed the existence and severity of all four vulnerabilities, as well as the effectiveness of the patches released on January 1. The company has verified that all supported versions of Remote Support are affected and patchable.

Horizon researchers have confirmed that the vulnerability chain is exploitable in both cloud-hosted and on-premises deployments of BeyondTrust Remote Support. They have also verified that successful exploitation requires no user interaction and can be executed remotely.

CISA has confirmed the addition of these vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating federal acknowledgment of the severity.

What remains unclear is whether any exploitation occurred before the public disclosure. BeyondTrust stated that their monitoring systems detected no suspicious activity, but security experts note that sophisticated attackers might avoid detection. "Absence of evidence isn't evidence of absence," cautioned Wei. "Organizations should assume compromise and investigate accordingly."

The full impact on organizations using customized deployments of BeyondTrust Remote Support remains uncertain. BeyondTrust has indicated that custom deployments may require additional configuration changes beyond the standard patches, but detailed guidance is still being developed.

It's also unclear how quickly organizations will be able to implement the patches. No comprehensive data exists on typical patch timelines for privileged access management tools across industries.

The potential for weaponization by threat actors remains a significant unknown. While the technical details provide sufficient information for exploitation development, no public exploits had been observed as of January 1.

Organizations should monitor BeyondTrust's security advisories for additional updates and mitigation guidance. The company has announced plans to release enhanced detection tools for potentially compromised systems within the next week.

Security teams should watch for signs of exploitation, including unusual authentication attempts to BeyondTrust consoles, unexpected remote access sessions, and anomalous behavior from Jump Clients. BeyondTrust has published a set of indicators of compromise to assist with detection efforts.

The cybersecurity community should monitor public exploit repositories and dark web forums for signs of weaponization. Security researchers predict that proof-of-concept exploits may appear within days, with integration into attack frameworks likely to follow.

Federal guidance may evolve as more information becomes available. Organizations should monitor CISA advisories for updated timelines and requirements, particularly those in regulated industries or government contractors.

BeyondTrust has announced an upcoming webinar on January 5, 2025, to provide additional technical details about the vulnerabilities and answer customer questions about mitigation strategies.

Industry analysts will be tracking patch adoption rates across sectors, which may influence regulatory approaches to vulnerability management for critical security tools in the future.

1. Horizon Advanced Threat Research, "Critical Vulnerability Chain in BeyondTrust Remote Support (CVE-2024-48719 to CVE-2024-48722)," https://www.horizonsecurity.com/research/advisories/2025/bt-remote-support-chain, January 1, 2025.

2. BeyondTrust Security Advisory, "Critical Security Update for Remote Support - Multiple Vulnerabilities," https://www.beyondtrust.com/security/advisories/BT-SA-2025-001, January 1, 2025.

3. US Cybersecurity and Infrastructure Security Agency, "Known Exploited Vulnerabilities Catalog - Addition of CVE-2024-48719, CVE-2024-48720, CVE-2024-48721, CVE-2024-48722," https://www.cisa.gov/known-exploited-vulnerabilities-catalog, January 1, 2025.

4. SecureWorks Research Blog, "Analysis: BeyondTrust Remote Support Vulnerabilities," https://www.secureworks.com/blog/beyondtrust-vulnerabilities-analysis, January 1, 2025.

5. CyberRisk Partners, "Security Advisory: Critical Vulnerabilities in Privileged Access Management Tools," https://cyberriskpartners.com/advisories/2025/pam-vulnerabilities, January 1, 2025.