The cybersecurity company Arctic Wolf has found that self-hosted BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) deployments are actively exploiting CVE-2026-1731. By using carefully constructed requests, this unauthenticated remote code execution vulnerability enables attackers to execute operating system commands as the site user, opening the door to complete domain dominance. Arctic Wolf provided new threat intelligence to equip defenders against this ongoing campaign after issuing their first security bulletin on the matter.

On February 2, 2026, BeyondTrust automatically patched cloud-hosted instances, saving those users from having to take any action. However, self-hosted clients have to manually apply updates to susceptible versions. The vulnerability has been used by attackers to spread laterally, scout networks, and deploy persistence tools. They frequently target outdated Bomgar appliances, which were formerly branded by BeyondTrust.

Threat actors dropped renamed SimpleHelp RMM binaries into the ProgramData root directory during observed intrusions using Bomgar processes running under the SYSTEM account. PE metadata identified these executables as "SimpleHelp Remote Access Client," such as "remote access.exe." After creating domain accounts using commands like net user REDACTED_USERNAME REDACTED_PASSWORD /add /domain, the attackers elevated privileges by using net group "enterprise admins" REDACTED_USERNAME /add /domain and net group "domain admins" REDACTED_USERNAME /add /domain.

Full administrative reign was thus granted. AdsiSearcher queries echoing AD_Computers: ([adsiSearcher]"(ObjectClass=computer)" were part of the discovery efforts.To count domain computers, use FindAll().count. Net share, cmd.exe /c ipconfig /all, systeminfo, and cmd.exe /c ver for network mapping were also executed by SimpleHelp processes.

In addition to early Impacket SMBv2 session setup requests for remote access, lateral movement depended on PSexec to distribute SimpleHelp across devices. These strategies are flagged by Arctic Wolf's Managed Detection and Response tools, which also notify clients of any new incidents. Versions of the Product Affected Version Fix Remote Support (RS) 25.3.1 and prior Patch BT26-02-RS (v21.3–25.3.1) Patch BT26-02-PRA (v22.1–24.X) and Privileged Remote Access (PRA) 24.3.4 Remarks: Complete upgrades are necessary for PRA versions below 22.1 or RS versions below 21.3.

All PRA 25.1+ are immune. Cloud instances are secured. Defenders should prioritize patching per organizational guidelines, scan for SimpleHelp IOCs (e.g., suspicious ProgramData executables with matching metadata), and monitor for AD enumeration or net user activity. Arctic Wolf urges immediate action to thwart domain takeover.

Make ZeroOwl your Google Preferred Source.