BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration

BAIFH Security

BeyondTrust Flaw: Because Of Course The Security Software Is Insecure

For fuck’s sake. Just when you thought your privileged access management was safe—because some silver-tongued vendor wanker in a suit swore blind it was “military-grade”—BeyondTrust drops a critical vulnerability that’s being actively exploited right now. CVE-2025-I-TOLD-YOU-SO allows unauthenticated remote code execution, which is cybersecurity speak for “the bad guys can pwn your entire network while you’re still trying to remember your password.”

The flaw, some pathetic path traversal bullshit in the Remote Support appliance, lets attackers upload web shells faster than users click phishing links. They’re naming them shit like “legit-update.jsp” because your SOC team couldn’t find their own arse with both hands and a GPS. Once those webshells are in, it’s open season: backdoors get planted, persistence is established, and your precious data gets exfiltrated to some server in a country you’ve never heard of, all while your CISO presents quarterly security metrics that show “improved posture.” Posture my arse.

Security researchers—those poor bastards who actually give a shit—have identified active campaigns targeting this bug since before BeyondTrust even admitted it existed. Attackers are chaining it with stolen credentials (which they got from your last breach, not this one) to move laterally and establish beachheads. They’re using DNS tunneling and HTTPS exfiltration because your DLP solution is about as effective as a chocolate fireguard. Your firewalls? They’re logging everything to /dev/null because “storage is expensive.”

BeyondTrust’s advisory is a masterpiece of corporate bollocks: “We recommend customers apply the patch immediately.” No shit, really? The patch has been out for a month, but your change control board is still arguing about whether to test it in the “non-prod” environment that hasn’t existed since 2019. Meanwhile, attackers are reading your CEO’s emails and selling them to competitors for lunch money.

Here’s what you should do, not that you’ll fucking do it:

1. Patch the goddamn software RIGHT NOW. Stop reading, just patch.

2. Hunt for webshells by searching for recently modified .jsp, .aspx, and .war files—assuming you know what that means.

3. Check your logs for suspicious POST requests and file upload