Threat actors are leveraging this flaw to execute operating system commands remotely without authentication.
The flaw, discovered in self-hosted BeyondTrust deployments, allows unauthenticated attackers to run arbitrary OS commands via specially crafted HTTP requests, executing them under the site user’s privileges.
Cloud-hosted BeyondTrust instances have already been automatically patched as of February 2, 2026. However, self-hosted customers must apply updates manually to mitigate exploitation risks.
Arctic Wolf’s analysis revealed attackers deploying SimpleHelp Remote Access binaries as part of their post-exploitation activity.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-1731 | 9.8 (Critical) | Unauthenticated OS command injection in BeyondTrust RS and PRA enabling remote code execution and full system compromise. |
These binaries were created through BeyondTrust Bomgar processes running under the SYSTEM account and saved in the ProgramData directory, commonly named remote access.exe.
The attackers used net user and net group commands to create privileged domain accounts, effectively granting themselves Enterprise Admin or Domain Admin rights.
For reconnaissance, the AdsiSearcher function was executed to enumerate Active Directory computers, alongside network discovery commands such as net share, ipconfig /all, and systeminfo.
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| Remote Support (RS) | 25.3.1 and prior | Patch BT26-02-RS (v21.3–25.3.1) |
| Privileged Remote Access (PRA) | 24.3.4 and prior | Patch BT26-02-PRA (v22.1–24.X) |
Arctic Wolf investigators noted the use of PSExec and Impacket SMBv2 session setup requests, suggesting coordinated propagation of the SimpleHelp tool across multiple networked hosts.
Security experts strongly advise patching all vulnerable versions immediately. All cloud-based BeyondTrust customers are already protected.
CISA advises that self-hosted deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded before applying the patch.
Administrators should review systems for unauthorized SimpleHelp binaries, suspicious admin accounts, and unusual network traffic related to SMB sessions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control appeared first on Cyber Security News.
On Friday afternoon, Donald Trump posted on Truth Social, accusing Anthropic, the AI company behind…
For years, taking down a botnet meant finding its command-and-control (C2) server, seizing the domain,…
A Go-based command-and-control (C2) framework originally marketed within Chinese-speaking offensive security communities has been quietly…
A newly discovered malware campaign has been quietly targeting educational institutions and healthcare organizations across…
New filings announced last week aim to stop the Trump administration from further restricting federal…
Bluepoint, the studio behind the successful Shadow of the Colossus and Demon's Souls remakes, reportedly…
This website uses cookies.