CVE-2024-12356OWASP A05 · InjectionCWE-89 SQL InjectionCVSS 9.8 Critical
BeyondTrust Remote Support — SQL injection to breach
A SQL injection in a remote-support product was part of the chain that reached the US Treasury.
What happened
In late 2024 into 2025, attackers exploited an injection flaw in BeyondTrust's Remote Support/Privileged Remote Access, part of an intrusion chain that ended inside the US Treasury Department. SQL injection has sat in OWASP's #1 or #3 for nearly twenty years because string-built queries are still everywhere.
The code
✕ Vulnerable — SQL injection
// String-concatenated SQL — the classic sink const q = "SELECT * FROM users WHERE email = '" + email + "'"; db.query(q); // email = "x' OR '1'='1" dumps every row
✓ Fixed — SQL injection
// Parameterized query — the driver separates code from data
db.query("SELECT * FROM users WHERE email = $1", [email]);
// + least-privilege DB user, and an allowlist for any dynamic identifiersReferences
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.