CISA added the critical flaw, CVE-2024-12356, to its Known Exploited Vulnerabilities (KEV) catalog on 19 December, an action that indicated the agency had information it had been exploited in the wild. This led some to believe it was probably the flaw exploited in the attack that led to the compromise of workstations at the US Treasury.
Second flaw also exploited in the wild
However, on Monday, CISA added the second medium-risk vulnerability, CVE-2024-12686, to KEV as well. It’s not clear if this was exploited as part of the same attacks or new ones after the BeyondTrust disclosure. As per CISA’s mandate, government agencies have until 3 February to identify if they have vulnerable deployments and make sure the patches are applied.
Last week, in an update on its investigation into the Treasury breach, CISA said it didn’t have any indication that other government agencies had been impacted in the attack.
