A newly disclosed high-risk vulnerability, tracked as CVE-2026-1731, is impacting self-managed deployments of BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw enables attackers to send specially crafted requests that trigger operating system command execution on vulnerable appliances — no login required. In simple terms, a remote attacker can gain code execution on the system without authentication.
Due to active exploitation in the wild, the issue has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. U.S. federal agencies have been instructed to remediate the flaw before February 16, 2026. While BeyondTrust’s cloud-hosted environments were automatically secured earlier this month, organizations running on-premises installations remain exposed until patches are manually applied.
How the Attack Unfolds
Threat activity observed by security researchers shows that attackers begin by targeting unpatched BeyondTrust appliances. After gaining initial access, they deploy the SimpleHelp Remote Monitoring and Management (RMM) tool to maintain persistence inside the network.
To avoid raising alarms, the malicious SimpleHelp components are often renamed to appear harmless — for example, “remote access.exe” — and executed from directories such as ProgramData. This basic disguise technique helps bypass casual inspection.
Once inside, the attackers move quickly. They leverage built-in Windows utilities to create new domain accounts and immediately assign them to powerful groups like Domain Admins and Enterprise Admins. This step effectively hands them unrestricted control over the organization’s Active Directory environment.
With elevated privileges secured, reconnaissance begins. Tools such as AdsiSearcher are used to enumerate domain-joined systems and map out the network. Additional discovery commands gather details about shared folders, configurations, and connected assets.
To widen their reach, attackers deploy PSExec to push SimpleHelp across multiple machines and rely on Impacket-based SMB activity for lateral movement. The result is rapid domain-wide compromise if the intrusion is not detected early.
Affected Versions and Required Updates
Organizations running the following versions are impacted:
- Remote Support (RS): Version 25.3.1 and earlier → Apply patch BT26-02-RS
- Privileged Remote Access (PRA): Version 24.3.4 and earlier → Apply patch BT26-02-PRA
Systems running outdated builds must first upgrade to a supported release before installing the relevant security fix.
BeyondTrust confirmed that all cloud instances were patched automatically on February 2, 2026. However, on-premises customers are responsible for updating their own environments.
Why This Matters
Exploitation does not require user interaction. A successful attack can lead to complete domain takeover, sensitive data theft, operational disruption, and long-term persistence within the environment.
For organizations relying on self-hosted BeyondTrust solutions, immediate patching is critical. Delaying remediation significantly increases the risk of full Active Directory compromise.
Leave A Comment