The BeyondTrust Vulnerability Exploit In the wild, a critical vulnerability known as CVE-2026-1731 is being actively exploited, giving attackers complete domain control over compromised systems. This vulnerability is being used by threat actors to remotely run operating system commands without authentication. The vulnerability, which was found in self-hosted BeyondTrust deployments, enables unauthenticated attackers to execute arbitrary OS commands under the site user's privileges through specially constructed HTTP requests.

As of February 2, 2026, BeyondTrust instances hosted in the cloud have already received automatic patches. To reduce the risk of exploitation, self-hosted customers must manually apply updates. Technical Specifications According to Arctic Wolf's analysis, as part of their post-exploitation activity, attackers were using SimpleHelp Remote Access binaries.

Description of CVE ID CVSS Score CVE-2026-1731 9.8 (Critical) Remote code execution and complete system compromise are made possible by unauthenticated OS command injection in BeyondTrust RS and PRA. These binaries, also known as remote access, were produced by BeyondTrust Bomgar processes that were logged in with the SYSTEM account and stored in the ProgramData directory.exe. The attackers essentially gave themselves Enterprise Admin or Domain Admin rights by creating privileged domain accounts using the net user and net group commands.

For reconnaissance, the AdsiSearcher function was executed to enumerate Active Directory computers, alongside network discovery commands such as net share, ipconfig /all, and systeminfo.

Versions of the Product Affected Versions that are fixed Patch BT26-02-RS (v21.3–25.3.1) and Remote Support (RS) 25.3.1 Patch BT26-02-PRA (v22.1–24.X) and Privileged Remote Access (PRA) 24.3.4 The use of PSExec and Impacket SMBv2 session setup requests was observed by Arctic Wolf investigators, indicating that the SimpleHelp tool was propagated across several networked hosts in a coordinated manner. Patching all vulnerable versions right away is highly recommended by security experts. Every BeyondTrust customer using the cloud is already secure.

Learn more about software that prevents cyberattacks. Platform for managing cybersecurity vulnerabilities Prior to applying the patch, CISA recommends that self-hosted deployments running versions below RS 21.3 or PRA 22.1 be upgraded. System administrators should check for suspicious admin accounts, unauthorized SimpleHelp binaries, and odd network traffic associated with SMB sessions., LinkedIn, and X for daily cybersecurity updates.

To have your stories featured, get in touch with us.