Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Vulnerabilities/Critical BeyondTrust Privilege Cloud CVE-2023-40576 Exploited for Full Domain Control
Vulnerabilities

Critical BeyondTrust Privilege Cloud CVE-2023-40576 Exploited for Full Domain Control

Key Takeaways A critical command injection vulnerability (CVE-2026-1731) in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is actively being exploited. The flaw allows...

Marcus Rodriguez
Marcus Rodriguez
February 16, 2026 3 Min Read
40 0

Key Takeaways

  • A critical command injection vulnerability (CVE-2026-1731) in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is actively being exploited.
  • The flaw allows unauthenticated attackers to execute arbitrary operating system commands and gain full domain control.
  • Self-hosted BeyondTrust deployments are at risk and require manual patching; cloud instances were automatically updated on February 2, 2026.
  • The vulnerability carries a CVSS score of 9.8 (Critical).

BeyondTrust Privilege Cloud Flaw Exploited for Full Domain Control

A severe security vulnerability, tracked as CVE-2026-1731, within BeyondTrust’s self-hosted Remote Support (RS) and Privileged Remote Access (PRA) products is under active exploitation, enabling threat actors to achieve complete domain compromise. This critical flaw allows attackers to execute arbitrary operating system commands without prior authentication, posing a significant risk to affected organizations.

Table Of Content

  • Key Takeaways
  • BeyondTrust Privilege Cloud Flaw Exploited for Full Domain Control
  • Technical Analysis of Exploitation
  • Affected Versions and Patches
  • What You Should Do

Exploiting this vulnerability involves crafting specific HTTP requests that permit unauthenticated remote code execution. Attackers can leverage this to run commands with the privileges of the system’s site user, potentially leading to full system compromise.

BeyondTrust’s cloud-hosted deployments received automatic patches for this issue on February 2, 2026. However, organizations utilizing self-hosted versions of BeyondTrust RS and PRA must manually apply the necessary updates to secure their systems against ongoing attacks.

Technical Analysis of Exploitation

Security researchers at Arctic Wolf have provided detailed insights into the post-exploitation activities observed. Their analysis revealed that attackers are deploying SimpleHelp Remote Access binaries following successful exploitation. These malicious binaries, often named remote access.exe, are created through BeyondTrust Bomgar processes running under the highly privileged SYSTEM account and are typically saved in the ProgramData directory.

Attackers are using standard Windows commands such as net user and net group to establish new, highly privileged domain accounts, effectively granting themselves Enterprise Admin or Domain Admin rights within the compromised environment. For network reconnaissance, the AdsiSearcher function is employed to enumerate Active Directory computers. Further discovery commands like net share, ipconfig /all, and systeminfo are executed to map out the network infrastructure.

Arctic Wolf investigators also observed the use of PSExec and Impacket SMBv2 session setup requests. This indicates a coordinated effort by threat actors to propagate the SimpleHelp remote access tool across multiple hosts within the compromised network, maximizing their foothold.

Affected Versions and Patches

The vulnerability, CVE-2026-1731, has been assigned a critical CVSS score of 9.8. It specifically impacts:

  • BeyondTrust Remote Support (RS): Versions 25.3.1 and prior.
  • BeyondTrust Privileged Remote Access (PRA): Versions 24.3.4 and prior.

The available patches are:

  • Remote Support (RS): Patch BT26-02-RS (for versions v21.3–25.3.1).
  • Privileged Remote Access (PRA): Patch BT26-02-PRA (for versions v22.1–24.X).

CISA advises that self-hosted deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded to a supported version before applying the latest patch.

What You Should Do

  • Apply Patches Immediately: For all self-hosted BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) deployments, apply the respective patches (BT26-02-RS or BT26-02-PRA) without delay. Ensure any older versions are upgraded to a supported baseline before patching.
  • Review for Unauthorized Binaries: Actively scan systems for unauthorized SimpleHelp binaries, particularly in the ProgramData directory, and remove any found.
  • Audit for Suspicious Accounts: Scrutinize Active Directory for newly created or modified administrative accounts (Enterprise Admin, Domain Admin) that appear suspicious or unauthorized.
  • Monitor Network Traffic: Look for unusual network traffic patterns, especially those related to SMB sessions, which could indicate lateral movement of exploitation tools like PSExec or Impacket.
  • Verify Cloud Protection: If you are a BeyondTrust cloud-based customer, confirm that your instances were automatically patched as of February 2, 2026.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Chrome Zero-Day Actively Exploited by Attackers

Next Post

Lotus Blossom Hackers Compromise Notepad++ Hosting Infrastructure

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us