The Cyber Security Agency of Singapore’s disclosure of multiple vulnerabilities in BeyondTrust products — coming weeks after the CVSS 9.2 bypass disclosure — reinforces a pattern that privileged access management teams need to take seriously: PAM platforms themselves are becoming a deliberate target for sophisticated actors, and vulnerability discovery is not slowing down.

The problem these disclosures create is one of escalating urgency. PAM platforms are trusted with the keys to every critical system an organisation runs — domain controllers, cloud root accounts, database admin credentials, and network infrastructure. Each new vulnerability discovered in a PAM platform creates a window of uncertainty: Did this flaw exist in our deployed version? Has it been exploited against us during the window between discovery and patching? The Cyber Security Agency of Singapore flagging *multiple* vulnerabilities at once (rather than a single isolated issue) suggests either a deeper code-quality issue or a more systematic approach to PAM product testing by security researchers and threat actors alike.

For organisations running privileged access management infrastructure, the escalating vulnerability cadence should trigger two immediate actions. First, vulnerability disclosure from PAM vendors needs to move from a quarterly or ad-hoc patch cycle to a continuous monitoring model — treating PAM platform updates with the same urgency and frequency as kernel patches on critical infrastructure. Second, PAM platforms should be subject to regular independent security testing, not just vendor security bulletins. Waiting for a vendor to discover and disclose a vulnerability is a passive stance that leaves organisations exposed for months; periodic third-party penetration testing of the PAM platform itself is a necessary control.

There’s also a harder architectural question worth asking: Is a single PAM platform managing all privileged credentials appropriate given the escalating risk surface? Some high-security deployments are exploring distributed or multi-vendor PAM architectures — using different platforms for different credential categories (cloud, on-premises, database), or layering a second system for independent verification of privileged account activity. This introduces operational complexity but reduces the blast radius of a critical PAM platform vulnerability to a subset of credentials rather than the full estate.

For CISOs, the message from repeated PAM vulnerabilities is clear: treat your PAM platform with the same security rigor — continuous patching, active monitoring, independent testing — that you apply to domain controllers, not the “security tooling” category that can lag a few patch cycles.

Source: Cyber Security Agency of Singapore