Vulnerabilities

Critical BeyondTrust Flaw Exploited to Gain Full Domain Control

A critical vulnerability, identified as CVE-2026-1731, is currently under active exploitation. This flaw enables attackers to achieve full domain control over targeted systems. Threat actors are...

Marcus Rodriguez
Marcus Rodriguez
February 16, 2026 2 Min Read
0 0

A critical vulnerability, identified as CVE-2026-1731, is currently under active exploitation. This flaw enables attackers to achieve full domain control over targeted systems.

Threat actors are leveraging this flaw to execute operating system commands remotely without authentication.

The flaw, discovered in self-hosted BeyondTrust deployments, allows unauthenticated attackers to run arbitrary OS commands via specially crafted HTTP requests, executing them under the site user’s privileges.

Cloud-hosted BeyondTrust instances have already been automatically patched as of February 2, 2026. However, self-hosted customers must apply updates manually to mitigate exploitation risks.

Technical Details

Arctic Wolf’s analysis revealed attackers deploying SimpleHelp Remote Access binaries as part of their post-exploitation activity.

CVE ID CVSS Score Description
CVE-2026-1731 9.8 (Critical) Unauthenticated OS command injection in BeyondTrust RS and PRA enabling remote code execution and full system compromise.

These binaries were created through BeyondTrust Bomgar processes running under the SYSTEM account and saved in the ProgramData directory, commonly named remote access.exe.

The attackers used net user and net group commands to create privileged domain accounts, effectively granting themselves Enterprise Admin or Domain Admin rights.

For reconnaissance, the AdsiSearcher function was executed to enumerate Active Directory computers, alongside network discovery commands such as net share, ipconfig /all, and systeminfo.

Product Affected Versions Fixed Versions
Remote Support (RS) 25.3.1 and prior Patch BT26-02-RS (v21.3–25.3.1)
Privileged Remote Access (PRA) 24.3.4 and prior Patch BT26-02-PRA (v22.1–24.X)

Arctic Wolf investigators noted the use of PSExec and Impacket SMBv2 session setup requests, suggesting coordinated propagation of the SimpleHelp tool across multiple networked hosts.

Security experts strongly advise patching all vulnerable versions immediately. All cloud-based BeyondTrust customers are already protected.

CISA advises that self-hosted deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded before applying the patch.

Administrators should review systems for unauthorized SimpleHelp binaries, suspicious admin accounts, and unusual network traffic related to SMB sessions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts