Attackers Exploit Critical BeyondTrust Flaw to Seize Full Active Directory Control - gbhackers.com
gbhackers.comArchived Jun 24, 2026✓ Full text saved
Attackers Exploit Critical BeyondTrust Flaw to Seize Full Active Directory Control gbhackers.com
Full text archived locally
✦ AI Summary· Claude Sonnet
Attackers Exploit Critical BeyondTrust Flaw
CVE/vulnerabilityCyber Security NewsVulnerability
2 min.Read
Attackers Exploit Critical BeyondTrust Flaw to Seize Full Active Directory Control
By Divya
February 16, 2026
Share
Facebook
Twitter
Pinterest
WhatsApp
A critical vulnerability, CVE-2026-1731, affecting self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments.
This security flaw allows unauthenticated attackers to inject operating system commands, effectively granting them remote code execution capabilities.
The severity of this campaign has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the issue by February 16, 2026.
While cloud customers were automatically secured earlier this month, self-hosted environments remain at significant risk if left unpatched.
Technical Analysis and Exploitation
The observed attack chain begins with the exploitation of the unpatched BeyondTrust appliance, leading to the deployment of the SimpleHelp Remote Monitoring and Management tool to establish persistence.
Attackers attempt to evade detection by renaming the SimpleHelp binaries to generic filenames, such as “remote access.exe,” and executing them directly from the ProgramData root directory.
CVE ID Severity Description
CVE-2026-1731 Critical BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability allowing unauthenticated remote attackers to execute operating system commands in the context of the site user.
Arctic Wolf researchers have detected that once access is established, the threat actors move quickly to escalate privileges within the network.
They utilize standard Windows commands to create new domain accounts and immediately add them to high-privilege groups, specifically the Enterprise Admins and Domain Admins groups.
This escalation grants the attackers full control over the victim’s Active Directory environment.
Following the privilege escalation, the attackers employ tools like AdsiSearcher to inventory Active Directory computers and gather intelligence on the network structure.
Affected Products and Fixes
Product Affected Version Required Fix
Remote Support (RS) 25.3.1 and prior Patch BT26-02-RS (v21.3 – 25.3.1)
Privileged Remote Access (PRA) 24.3.4 and prior Patch BT26-02-PRA (v22.1 – 24.X)
Discovery activities also include the execution of commands to list network shares and system configuration details.
To expand their foothold, the threat actors utilize PSexec to execute SimpleHelp installations across multiple devices and use Impacket for lateral movement via SMBv2 session setup requests.
Organizations using self-hosted versions of Remote Support and Privileged Remote Access must apply the available security updates immediately to prevent system compromise.
BeyondTrust has confirmed that all cloud-based instances were automatically patched on February 2, 2026, and require no further user action.
However, on-premises administrators must manually install patches BT26-02-RS or BT26-02-PRA depending on their product version.
It is crucial to note that customers running older versions of the software must first upgrade to a supported version before the patch can be applied.
CISA emphasizes that successful exploitation requires no user interaction and can lead to total system compromise, data exfiltration, and service disruption.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
Tags
cyber security
Cyber Security News
Vulnerability
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Hot this week
Infosec- Resources
How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities
June 4, 2023
1
What is Deep Web The deep web, invisible web, or...
SOC Architecture
How to Build and Run a Security Operations Center (SOC Guide) – 2023
June 3, 2023
12
Today’s Cyber security operations center (CSOC) should have everything...
Cyber Security News
Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
October 18, 2023
0
TeamViewer's popularity and remote access capabilities make it an...
Checklist
Web Server Penetration Testing Checklist – 2026
January 6, 2026
0
Web server pentesting is performed under three significant categories: identity,...
Infosec- Resources
ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities
June 4, 2023
4
ATM Penetration testing, Hackers have found different approaches to...
Topics
AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore
cyber security
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
0
The Python-based remote access trojan ModeloRAT and a newly...
Android
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
0
Android Malware Campaign Uses Fake Document Reader App with...
Cyber Security News
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
0
Grafana Labs has confirmed that a recent supply chain...
cyber security
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
0
An active phishing campaign that impersonates Microsoft Teams to...
cyber security
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
0
A concerted campaign by an initial access broker with...
CVE/vulnerability
PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability
0
A proof-of-concept exploit has been released for CVE-2026-45502, a...
CVE/vulnerability
Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users
0
A newly disclosed stored cross-site scripting (XSS) vulnerability in...
Cyber Security News
Fable 5 AI Model Builds Bootable Windows Kernel in Rust in Just 38 Minutes
0
A newly released AI model, Claude Fable 5, has...
Related Articles
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
cyber security June 24, 2026
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Android June 24, 2026
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
Cyber Security News June 24, 2026
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
cyber security June 24, 2026
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
cyber security June 24, 2026
Recent News
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
Mayura Kathir - June 24, 2026
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Mayura Kathir - June 24, 2026
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
Divya - June 24, 2026
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
Mayura Kathir - June 24, 2026
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
Mayura Kathir - June 24, 2026
PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability
Divya - June 24, 2026