BeyondTrust CVE-2026-1731 Actively Exploited for Domain Takeover

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Attackers exploit a critical BeyondTrust vulnerability, CVE-2026-1731, in the wild to run OS commands and seize full domain control. This unauthenticated flaw hits self-hosted Remote Support (RS) and Privileged Remote Access (PRA) deployments via crafted HTTP requests.

The issue scores 9.8 on CVSS. It lets remote actors execute code under site user privileges without login. Cloud-hosted BeyondTrust fixed it automatically on February 2, 2026. Self-hosted users must patch manually now.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Arctic Wolf spotted real attacks. Threat actors drop SimpleHelp Remote Access tools post-breach. They create admin accounts and scout networks for deeper access.

BeyondTrust released patches BT26-02-RS and BT26-02-PRA. RS versions up to 25.3.1 and PRA up to 24.3.4 need upgrades first if below 21.3 or 22.1.

CISA added it to Known Exploited Vulnerabilities catalog. Federal agencies must patch by March 10, 2026.

Arctic Wolf shared attack observations. 

Technical Breakdown

Attackers craft HTTP requests to inject commands. Exploit runs under SYSTEM via Bomgar processes. Malware lands in ProgramData as remote access.exe.

Post-exploit steps include net user/group for Domain Admin rights. Recon uses AdsiSearcher, net share, ipconfig, and systeminfo. PSExec and Impacket spread SimpleHelp across hosts.

ProductAffected VersionsFixed ByPatch Notes
Remote Support (RS)25.3.1 and priorBT26-02-RS (21.3–25.3.1)Upgrade first if below 21.3
Privileged Remote Access (PRA)24.3.4 and priorBT26-02-PRA (22.1–24.X)Upgrade first if below 22.1

Attack Indicators

  • SimpleHelp binaries in ProgramData.
  • New privileged accounts via net user/group.
  • SMBv2 sessions with Impacket tools.
  • AdsiSearcher and network enum commands.

Cloud users stay safe. Self-hosted admins, hunt these signs on domains.

Mitigation Actions

  • Apply BeyondTrust patches immediately.
  • Hunt for SimpleHelp files and rogue admins.
  • Block unusual SMB traffic.
  • Review logs for command injection.
  • Upgrade old versions before patching.

FAQ

What does CVE-2026-1731 allow?

Unauthenticated OS command execution leading to domain admin. 

Which BeyondTrust products face risk?

Self-hosted RS up to 25.3.1 and PRA up to 24.3.4.

Are cloud instances safe?

Yes, auto-patched February 2, 2026.

What post-exploit tools show up?

SimpleHelp remote access.exe, PSExec, Impacket.

Does CISA track this?

Yes, in KEV catalog. Patch deadline March 10

Next steps for admins?

Patch, scan for IOCs, monitor Active Directory changes.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages