Vulners
Lucene search
📄 BeyondTrust Privileged Remote Access 24.3 Takeover
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | CVE-2023-23632 | 13 Oct 202300:23 | – | circl |
| CVE-2025-0217 | 5 May 202520:03 | – | circl |
 | BeyondTrust Privileged Remote Access Authorization Issues Vulnerability | 12 Oct 202300:00 | – | cnnvd |
| BeyondTrust Privileged Remote Access 安全漏洞 | 5 May 202500:00 | – | cnnvd |
 | CVE-2023-23632 | 12 Oct 202300:00 | – | cve |
| CVE-2025-0217 | 5 May 202517:00 | – | cve |
 | CVE-2023-23632 | 12 Oct 202300:00 | – | cvelist |
| CVE-2025-0217 Privileged Remote Access Authentication Bypass | 5 May 202517:00 | – | cvelist |
 | EUVD-2025-13455 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-23632 | 12 Oct 202320:15 | – | nvd |
10
=== Details ========================================================
Vendor: BeyondTrust
Product: Privileged Remote Access (PRA)
Subject: PRA connection takeover
CVE ID: CVE-2025-0217
CVSS: 7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Author: Paul Szabo <[email protected]>
Date: 2025-05-05
=== Introduction ===================================================
I noticed an issue in
BeyondTrust Privileged Remote Access (PRA) [1]
when using the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option [2]
for accessing Linux servers.
=== Affected version ===============================================
BeyondTrust Privileged Remote Access (PRA) 24.3
=== Technical Description ==========================================
The "Desktop Access Console" creates an SSH tunnel so the command
ssh -l USERNAME -p PORTNUMBER 127.0.0.1
will provide password-less login to the server; the USERNAME and
PORTNUMBER are randomized and shown on the screen of the PRA console.
While the legitimate user is using this SSH command (whether by
clicking "open SSH client" or typing it manually), the command and
arguments can be observed by any other user on the client machine,
simply by using the command
ps -Af
on Mac or Linux, or
wmic process get commandline
(by privileged users only) on Windows. That other user could then
run the very same SSH command to take over the tunneled connection,
obtaining privileged login access to the server.
Steps to reproduce:
1. Legitimate user to use the PRA "Desktop Access Console" with the
"Open Shell Jump Sessions with an External Tool" option enabled,
and open an SSH client.
2. Another user on same client machine to observe the SSH command
line of the legitimate user, then use same command and obtain
privileged access to the server.
This clearly is an issue on multi-user client machines. At some
institutions, anyone with a corporate login can log in to some
laptops, then those also are a target for an attacker to leave an
attacking script as a background task.
=== Workaround =====================================================
Refrain from using the external tools option. Arguably, the only
purpose of the "Desktop Access Console" is to use external tools:
do not use.
=== Fixed version ==================================================
BeyondTrust Privileged Remote Access (PRA) 25.1.1
=== Timeline =======================================================
2024-11-28 Discovered by Paul Szabo
2024-12-04 Reported to [email protected]
2024-12-11 Reported to [email protected]
2024-12-17 Initial response from BeyondTrust
2024-12-27 BeyondTrust does not consider this a vulnerability, and
will leave it up to customers to disable external tools
2025-01-04 BeyondTrust evaluating multiple different solutions
2025-01-04 CVE-2025-0217 assigned by BeyondTrust [3]
2025-01-14 Somewhat invalid on Windows
2025-01-15 Suggested verify connecting user to BeyondTrust
2025-03-14 BeyondTrust will fix by verifying connecting user
2025-04-03 BeyondTrust released PRA version 25.1.1 - fixed
2025-05-05 Coordinated public disclosure [4]
=== Comments =======================================================
This issue is similar to CVE-2023-23632 [5,6], and with same impact.
Curious how:
- this issue was not noticed back then, and
- CVE-2023-23632 is missing from the BeyondTrust advisories page [7].
Curious how BeyondTrust persisted with a secret username, and hoped
to mitigate by hiding it with SSH aliases. Fix by verifying the
connecting user, as also suggested for OpenSSH [8].
This issue was observed for SSH into Linux servers. I have no access
to Windows servers, do not know whether RDP is affected by a similar
issue.
=== References =====================================================
[1] https://www.beyondtrust.com/products/privileged-remote-access
[2]
https://www.beyondtrust.com/docs/privileged-remote-access/getting-started/access-console/settings.htm
[3] https://www.cve.org/CVERecord?id=CVE-2025-0217
[4] https://www.beyondtrust.com/trust-center/security-advisories/bt25-03
[5] https://www.cve.org/CVERecord?id=CVE-2023-23632
[6]
https://www.compass-security.com/fileadmin/Research/Advisories/2023_03_CSNC-2022-018_PRA_Privilege_Escalation.txt
[7] https://www.beyondtrust.com/trust-center/security-advisories
[8] https://bugzilla.mindrot.org/show_bug.cgi?id=3802
====================================================================
Paul Szabo [email protected] www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics University of Sydney AustraliaData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 May 2025 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.17.8
CVSS 47.3
EPSS0.00193
SSVC