Critical BeyondTrust Privilege Cloud CVE-2023-40576 Exploited for Full Domain Control
Key Takeaways A critical command injection vulnerability (CVE-2026-1731) in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is actively being exploited. The flaw allows...
Key Takeaways
- A critical command injection vulnerability (CVE-2026-1731) in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is actively being exploited.
- The flaw allows unauthenticated attackers to execute arbitrary operating system commands and gain full domain control.
- Self-hosted BeyondTrust deployments are at risk and require manual patching; cloud instances were automatically updated on February 2, 2026.
- The vulnerability carries a CVSS score of 9.8 (Critical).
BeyondTrust Privilege Cloud Flaw Exploited for Full Domain Control
A severe security vulnerability, tracked as CVE-2026-1731, within BeyondTrust’s self-hosted Remote Support (RS) and Privileged Remote Access (PRA) products is under active exploitation, enabling threat actors to achieve complete domain compromise. This critical flaw allows attackers to execute arbitrary operating system commands without prior authentication, posing a significant risk to affected organizations.
Table Of Content
Exploiting this vulnerability involves crafting specific HTTP requests that permit unauthenticated remote code execution. Attackers can leverage this to run commands with the privileges of the system’s site user, potentially leading to full system compromise.
BeyondTrust’s cloud-hosted deployments received automatic patches for this issue on February 2, 2026. However, organizations utilizing self-hosted versions of BeyondTrust RS and PRA must manually apply the necessary updates to secure their systems against ongoing attacks.
Technical Analysis of Exploitation
Security researchers at Arctic Wolf have provided detailed insights into the post-exploitation activities observed. Their analysis revealed that attackers are deploying SimpleHelp Remote Access binaries following successful exploitation. These malicious binaries, often named remote access.exe, are created through BeyondTrust Bomgar processes running under the highly privileged SYSTEM account and are typically saved in the ProgramData directory.
Attackers are using standard Windows commands such as net user and net group to establish new, highly privileged domain accounts, effectively granting themselves Enterprise Admin or Domain Admin rights within the compromised environment. For network reconnaissance, the AdsiSearcher function is employed to enumerate Active Directory computers. Further discovery commands like net share, ipconfig /all, and systeminfo are executed to map out the network infrastructure.
Arctic Wolf investigators also observed the use of PSExec and Impacket SMBv2 session setup requests. This indicates a coordinated effort by threat actors to propagate the SimpleHelp remote access tool across multiple hosts within the compromised network, maximizing their foothold.
Affected Versions and Patches
The vulnerability, CVE-2026-1731, has been assigned a critical CVSS score of 9.8. It specifically impacts:
- BeyondTrust Remote Support (RS): Versions 25.3.1 and prior.
- BeyondTrust Privileged Remote Access (PRA): Versions 24.3.4 and prior.
The available patches are:
- Remote Support (RS): Patch BT26-02-RS (for versions v21.3–25.3.1).
- Privileged Remote Access (PRA): Patch BT26-02-PRA (for versions v22.1–24.X).
CISA advises that self-hosted deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded to a supported version before applying the latest patch.
What You Should Do
- Apply Patches Immediately: For all self-hosted BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) deployments, apply the respective patches (BT26-02-RS or BT26-02-PRA) without delay. Ensure any older versions are upgraded to a supported baseline before patching.
- Review for Unauthorized Binaries: Actively scan systems for unauthorized SimpleHelp binaries, particularly in the ProgramData directory, and remove any found.
- Audit for Suspicious Accounts: Scrutinize Active Directory for newly created or modified administrative accounts (Enterprise Admin, Domain Admin) that appear suspicious or unauthorized.
- Monitor Network Traffic: Look for unusual network traffic patterns, especially those related to SMB sessions, which could indicate lateral movement of exploitation tools like PSExec or Impacket.
- Verify Cloud Protection: If you are a BeyondTrust cloud-based customer, confirm that your instances were automatically patched as of February 2, 2026.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.