Beyondtrust

Known Exploited Beyondtrust Vulnerabilities

The following Beyondtrust vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2024-12356: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 2 known exploited Beyondtrust vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 2 vulnerabilities in Beyondtrust. Last year, in 2025 Beyondtrust had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Beyondtrust in 2026 could surpass last years number.

Recent Beyondtrust Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-1731	Feb 06, 2026	BeyondTrust RS Check: Pre-Auth RCE via Crafted Requests BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.	Privileged Remote Access
CVE-2026-1232	Feb 02, 2026	BT PrivMgmt <=25.7 AntiTamper Bypass by Admin Local User A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7. Under certain conditions, a local authenticated user with elevated privileges may be able to bypass the products anti-tamper protections, which could allow access to protected application components and the ability to modify product configuration.	Privilege Management Windows
CVE-2025-2297	Jul 28, 2025	Privilege Escalation via Manipulated User Profile Files (before 25.4.270.0) Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to administrator.	Privilege Management Windows
CVE-2025-6250	Jul 28, 2025	Defender Endpoint Issue via wmic.exe (v<25.4.270.0) Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions.	Privilege Management Windows
CVE-2025-0217	May 05, 2025	Auth Bypass in BeyondTrust PRA (<25.1) Allows Unauthorized ShellJump View BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. A local authenticated attacker can view the connection details of a ShellJump session that was initiated with external tools, allowing unauthorized access to connected sessions.	Privileged Remote Access
CVE-2025-0889	Feb 26, 2025	Privilege Management for Windows EPM Priv Elev CVE-2025-0889 <25.2 Prior to 25.2, a local authenticated attacker can elevate privileges on a system with Privilege Management for Windows installed, via the manipulation of COM objects under certain circumstances where an EPM policy allows for automatic privilege elevation of a user process.	Privilege Management Windows
CVE-2024-12686	Dec 18, 2024	Command Injection in Privileged Remote Access & Remote Support (PRA/RS) A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.	Remote Support Privileged Remote Access
CVE-2024-12356	Dec 17, 2024	Unauthenticated Command Injection in PRA/RS Remote Access A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.	Remote Support Privileged Remote Access
CVE-2024-9110	Oct 30, 2024	XSS in Microsoft PIM (Privileged Identity Management) A medium severity vulnerability has been identified within Privileged Identity which can allow an attacker to perform reflected cross-site scripting attacks.	Privileged Identity
CVE-2024-5812	Jun 11, 2024	BIPS: High-Privilege API Overwrites Read-Only Smart Rules (CVE20245812) A low severity vulnerability in BIPS has been identified where an attacker with high privileges or a compromised high privilege account can overwrite Read-Only smart rules via a specially crafted API request.	Beyondinsight Password Safe
CVE-2024-5813	Jun 11, 2024	BIPS SSH Private Key Info Leak (CVE-2024-5813) A medium severity vulnerability in BIPS has been identified where an authenticated attacker with high privileges can access the SSH private keys via an information leak in the server response.	Beyondinsight Password Safe
CVE-2024-4220	Jun 04, 2024	BeyondInsight <23.1 - USERNAME Enumeration via ID Disclosure (CVE-2024-4220) Prior to 23.1, an information disclosure vulnerability exists within BeyondInsight which can allow an attacker to enumerate usernames.	Beyondinsight
CVE-2024-4219	Jun 04, 2024	BeyondInsight <23.2 SSRF via HTTP Connectors Prior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability.	Beyondinsight
CVE-2024-4017	Apr 19, 2024	Improper Privilege Management - DLL Side-load in BeyondTrust U-Series 3.44.0.2 (Windows) Improper Privilege Management vulnerability in BeyondTrust U-Series Appliance on Windows, 64 bit (filesystem modules) allows DLL Side-Loading.This issue affects U-Series Appliance: from 3.4 before 4.0.3.	U Series Appliance
CVE-2024-4018	Apr 19, 2024	BeyondTrust U-Series Appliance 3.4 API Privilege Escalation (pre-4.0.3) Improper Privilege Management vulnerability in BeyondTrust U-Series Appliance on Windows, 64 bit (local appliance api modules) allows Privilege Escalation.This issue affects U-Series Appliance: from 3.4 before 4.0.3.	U Series Appliance
CVE-2024-25083	Feb 16, 2024	BeyondTrust PM Elevation via Repair Attack on Windows <24.1 An issue was discovered in BeyondTrust Privilege Management for Windows before 24.1. When an low-privileged user initiates a repair, there is an attack vector through which the user is able to execute any program with elevated privileges.	Privilege Management Windows
CVE-2024-1591	Feb 16, 2024	Local Authenticated Sysvol View via Privilege Management for Windows (pre-24.1) Prior to version 24.1, a local authenticated attacker can view Sysvol when Privilege Management for Windows is configured to use a GPO policy. This allows them to view the policy and potentially find configuration issues.	Privilege Management Windows
CVE-2023-49944	Dec 25, 2023	BeyondTrust PMfW Challenge-Response Bypass via Key Decryption The Challenge Response feature of BeyondTrust Privilege Management for Windows (PMfW) before 2023-07-14 allows local administrators to bypass this feature by decrypting the shared key, or by locating the decrypted shared key in process memory. The threat is mitigated by the Agent Protection feature.	Privilege Management Windows
CVE-2020-12614	Dec 12, 2023	Privilege Escalation via Publisher Criteria in BeyondTrust Privilege Mgt 5.6 An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. If the publisher criteria is selected, it defines the name of a publisher that must be present in the certificate (and also requires that the certificate is valid). If an Add Admin token is protected by this criteria, it can be leveraged by a malicious actor to achieve Elevation of Privileges from standard user to administrator.	Privilege Management Windows
CVE-2020-28369	Dec 12, 2023	Cryptbase.dll Load from USER-WRITABLE Temp in BeyondTrust PMfW 5.7 In BeyondTrust Privilege Management for Windows (aka PMfW) through 5.7, a SYSTEM installation causes Cryptbase.dll to be loaded from the user-writable location %WINDIR%\Temp.	Privilege Management Windows
CVE-2020-12612	Dec 12, 2023	BT PM for Windows 5.6 Vulnerable to env var manipulation (CVE-2020-12612) An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. When specifying a program to elevate, it can typically be found within the Program Files (x86) folder and therefore uses the %ProgramFiles(x86)% environment variable. However, when this same policy gets pushed to a 32bit machine, this environment variable does not exist. Therefore, since the standard user can create a user level environment variable, they can repoint this variable to any folder the user has full control of. Then, the folder structure can be created in such a way that a rule matches and arbitrary code runs elevated.	Privilege Management Windows
CVE-2020-12615	Dec 12, 2023	Privilege Escalation: BeyondTrust PrivMgt Win <=5.6 Token Theft An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. When adding the Add Admin token to a process, and specifying that it runs at medium integrity with the user owning the process, this security token can be stolen and applied to arbitrary processes.	Privilege Management Windows
CVE-2021-3187	Dec 11, 2023	BeyondTrust PrivilegeMgmt macOS v<5.7: PrivEsc via Malicious Script An issue was discovered in BeyondTrust Privilege Management for Mac before 5.7. An authenticated, unprivileged user can elevate privileges by running a malicious script (that executes as root from a temporary directory) during install time. (This applies to macOS before 10.15.5, or Security Update 2020-003 on Mojave and High Sierra, Later versions of macOS are not vulnerable.)	Privilege Management For Mac
CVE-2020-12613	Dec 11, 2023	BT PM for Windows <5.6: Multi-User Token Elevation An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. An attacker can spawn a process with multiple users as part of the security token (prior to Avecto elevation). When Avecto elevates the process, it removes the user who is launching the process, but not the second user. Therefore this second user still retains access and can give permission to the process back to the first user.	Privilege Management Windows
CVE-2023-23632	Oct 12, 2023	BeyondTrust PRA (22.2-22.4) Local Auth Bypass via BYOT Shell BeyondTrust Privileged Remote Access (PRA) versions 22.2.x to 22.4.x are vulnerable to a local authentication bypass. Attackers can exploit a flawed secret verification process in the BYOT shell jump sessions, allowing unauthorized access to jump items by guessing only the first character of the secret.	Privileged Remote Access
CVE-2023-4310	Sep 05, 2023	BeyondTrust PRA/RS 23.2.123.2.2 Cmd Injection via HTTP BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 23.2.1 and 23.2.2 contain a command injection vulnerability which can be exploited through a malicious HTTP request. Successful exploitation of this vulnerability can allow an unauthenticated remote attacker to execute underlying operating system commands within the context of the site user. This issue is fixed in version 23.2.3.	Remote Support Privileged Remote Access
CVE-2021-31589	Jan 05, 2022	A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.	Appliance Base Software
CVE-2021-42254	Nov 19, 2021	BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions. BeyondTrust Privilege Management prior to version 21.6 creates a Temporary File in a Directory with Insecure Permissions.	Privilege Management Windows
CVE-2021-3156	Jan 26, 2021	Sudo before 1.9.5p2 contains an off-by-one error Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.	Privilege Management For Mac Privilege Management Unixlinux
CVE-2020-9326	Mar 18, 2020	BeyondTrust Privilege Management for Windows and Mac (aka PMWM; formerly Avecto Defendpoint) 5.1 through 5.5 before 5.5 SR1 mishandles command-line arguments with PowerShell .ps1 file extensions present BeyondTrust Privilege Management for Windows and Mac (aka PMWM; formerly Avecto Defendpoint) 5.1 through 5.5 before 5.5 SR1 mishandles command-line arguments with PowerShell .ps1 file extensions present, leading to a DefendpointService.exe crash.	Privilege Management Windows Mac
CVE-2018-10959	Apr 17, 2019	Avecto Defendpoint 4 prior to 4.4 SR6 and 5 prior to 5.1 SR1 has an Untrusted Search Path vulnerability Avecto Defendpoint 4 prior to 4.4 SR6 and 5 prior to 5.1 SR1 has an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker's process launch.	Avecto Defendpoint