Unverified attack spree in December affected 17 BeyondTrust clients
In a significant cybersecurity incident, Chinese state-linked threat actors have breached the U.S. Treasury Department, exploiting multiple zero-day vulnerabilities in BeyondTrust's Remote Support and Privileged Remote Access products.
The attack, which occurred in late 2024, was initiated by the hackers using two zero-day vulnerabilities - CVE-2024-12356 and CVE-2024-12686. Later, a PostgreSQL zero-day (CVE-2025-1094) was also employed. These exploits allowed the attackers to steal an API key, which was subsequently used to compromise 17 Remote Support SaaS instances, including those at the U.S. Treasury Department.
The hackers specifically targeted the Treasury’s Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS), agencies involved in trade sanctions and national security reviews. The breach led to the theft of sensitive, though unclassified, information about potential sanctions and other important documents.
In mid-2025, a new vulnerability - CVE-2025-5309 - was disclosed, affecting the BeyondTrust Chat Feature. This vulnerability, exploited using the stolen API key, further exacerbated risks by allowing full control over affected servers, enabling lateral movement and data exfiltration.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19, 2024, issuing an order for all U.S. federal agencies to patch affected systems within a week, by January 13, 2025. After the breach was discovered on December 8, 2024, federal agencies intensified cybersecurity measures, and the Treasury Department publicly acknowledged the incident as a major cyberattack linked to Chinese government actors.
BeyondTrust, a global provider of identity security services to over 20,000 customers, including 75% of Fortune 100 companies, is working diligently to address and mitigate these vulnerabilities. The company has patched all SaaS instances of Remote Support and is assisting self-hosted customers to do their own patching. BeyondTrust has also shared information with law enforcement authorities and threat information-sharing groups.
The incident underscores ongoing state-sponsored cyber threats targeting critical U.S. government infrastructure and private sector organisations worldwide. The U.S. administration has previously signaled its intent to strengthen federal security practices in response to such attacks, including the recent Treasury Department compromise. The Biden Executive Order on cybersecurity includes provisions to strengthen federal security protocols and grants more authorities to take action against malicious actors targeting the U.S.
[1] Source: TechCrunch [2] Source: The Record by Recorded Future [3] Source: The Washington Post [4] Source: CISA Alert (AA23-240A)
- The cybersecurity incident at the U.S. Treasury Department, involving Chinese state-linked threat actors, highlighted the exploitation of multiple zero-day vulnerabilities in BeyondTrust's technology products, underscoring the ongoing threats in the realm of cybersecurity.
- The politically charged scenario unfolded as the hackers targeted specific agencies, such as the Treasury’s Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS), demonstrating the potential for cybersecurity threats to influence general-news and national policies.
- In the wake of the breach, the Cybersecurity and Infrastructure Security Agency (CISA) emphasized the crux of the issue by additionally addressing a new vulnerability, CVE-2025-5309, affecting BeyondTrust's Chat Feature, underscoring the importance of continuous technology advancements and proactive cybersecurity measures to protect sensitive information and critical infrastructure.
