A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
The shortcoming was uncovered during an ongoing forensics investigation that was initiated following a 'security incident' on December 2, 2024, involving a 'limited number of Remote Support SaaS customers.'
If customers are on a version older than 22.1, they will need to upgrade in order to apply this patch.
The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), has been described as an instance of command injection.
Collection
[
|
...
]