CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 24, 2026

Attackers Exploit Critical BeyondTrust Flaw to Seize Full Active Directory Control - gbhackers.com

gbhackers.com Archived Jun 24, 2026 ✓ Full text saved

Attackers Exploit Critical BeyondTrust Flaw to Seize Full Active Directory Control gbhackers.com

Full text archived locally
✦ AI Summary · Claude Sonnet


    Attackers Exploit Critical BeyondTrust Flaw CVE/vulnerabilityCyber Security NewsVulnerability 2 min.Read Attackers Exploit Critical BeyondTrust Flaw to Seize Full Active Directory Control By Divya February 16, 2026 Share Facebook Twitter Pinterest WhatsApp A critical vulnerability, CVE-2026-1731, affecting self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments. This security flaw allows unauthenticated attackers to inject operating system commands, effectively granting them remote code execution capabilities. The severity of this campaign has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the issue by February 16, 2026. While cloud customers were automatically secured earlier this month, self-hosted environments remain at significant risk if left unpatched. Technical Analysis and Exploitation The observed attack chain begins with the exploitation of the unpatched BeyondTrust appliance, leading to the deployment of the SimpleHelp Remote Monitoring and Management tool to establish persistence. Attackers attempt to evade detection by renaming the SimpleHelp binaries to generic filenames, such as “remote access.exe,” and executing them directly from the ProgramData root directory. CVE ID Severity Description CVE-2026-1731 Critical BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability allowing unauthenticated remote attackers to execute operating system commands in the context of the site user. Arctic Wolf researchers have detected that once access is established, the threat actors move quickly to escalate privileges within the network. They utilize standard Windows commands to create new domain accounts and immediately add them to high-privilege groups, specifically the Enterprise Admins and Domain Admins groups. This escalation grants the attackers full control over the victim’s Active Directory environment. Following the privilege escalation, the attackers employ tools like AdsiSearcher to inventory Active Directory computers and gather intelligence on the network structure. Affected Products and Fixes Product Affected Version Required Fix Remote Support (RS) 25.3.1 and prior Patch BT26-02-RS (v21.3 – 25.3.1) Privileged Remote Access (PRA) 24.3.4 and prior Patch BT26-02-PRA (v22.1 – 24.X) Discovery activities also include the execution of commands to list network shares and system configuration details. To expand their foothold, the threat actors utilize PSexec to execute SimpleHelp installations across multiple devices and use Impacket for lateral movement via SMBv2 session setup requests. Organizations using self-hosted versions of Remote Support and Privileged Remote Access must apply the available security updates immediately to prevent system compromise. BeyondTrust has confirmed that all cloud-based instances were automatically patched on February 2, 2026, and require no further user action. However, on-premises administrators must manually install patches BT26-02-RS or BT26-02-PRA depending on their product version. It is crucial to note that customers running older versions of the software must first upgrade to a supported version before the patch can be applied. CISA emphasizes that successful exploitation requires no user interaction and can lead to total system compromise, data exfiltration, and service disruption. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google Tags cyber security Cyber Security News Vulnerability Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Infosec- Resources ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities June 4, 2023 4 ATM Penetration testing, Hackers have found different approaches to... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore cyber security ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker 0 The Python-based remote access trojan ModeloRAT and a newly... Android Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads 0 Android Malware Campaign Uses Fake Document Reader App with... Cyber Security News Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning 0 Grafana Labs has confirmed that a recent supply chain... cyber security Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software 0 An active phishing campaign that impersonates Microsoft Teams to... cyber security Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension 0 A concerted campaign by an initial access broker with... CVE/vulnerability PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability 0 A proof-of-concept exploit has been released for CVE-2026-45502, a... CVE/vulnerability Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users 0 A newly disclosed stored cross-site scripting (XSS) vulnerability in... Cyber Security News Fable 5 AI Model Builds Bootable Windows Kernel in Rust in Just 38 Minutes 0 A newly released AI model, Claude Fable 5, has... Related Articles ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker cyber security June 24, 2026 Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads Android June 24, 2026 Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning Cyber Security News June 24, 2026 Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software cyber security June 24, 2026 Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension cyber security June 24, 2026 Recent News ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker Mayura Kathir - June 24, 2026 Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads Mayura Kathir - June 24, 2026 Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning Divya - June 24, 2026 Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software Mayura Kathir - June 24, 2026 Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension Mayura Kathir - June 24, 2026 PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability Divya - June 24, 2026
    💬 Team Notes
    Article Info
    Source
    gbhackers.com
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗