Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control - CyberSecurityNews

Home Cyber Security News Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control BeyondTrust Vulnerability Exploit A critical vulnerability tracked as CVE-2026-1731 is being actively exploited in the wild, enabling attackers to gain full domain control over affected systems. Threat actors are leveraging this flaw to execute operating system commands remotely without authentication. The flaw, discovered in self-hosted BeyondTrust deployments, allows unauthenticated attackers to run arbitrary OS commands via specially crafted HTTP requests, executing them under the site user’s privileges. Cloud-hosted BeyondTrust instances have already been automatically patched as of February 2, 2026. However, self-hosted customers must apply updates manually to mitigate exploitation risks. Technical Details Arctic Wolf’s analysis revealed attackers deploying SimpleHelp Remote Access binaries as part of their post-exploitation activity. CVE ID CVSS Score Description CVE-2026-1731 9.8 (Critical) Unauthenticated OS command injection in BeyondTrust RS and PRA enabling remote code execution and full system compromise. These binaries were created through BeyondTrust Bomgar processes running under the SYSTEM account and saved in the ProgramData directory, commonly named remote access.exe. The attackers used net user and net group commands to create privileged domain accounts, effectively granting themselves Enterprise Admin or Domain Admin rights. For reconnaissance, the AdsiSearcher function was executed to enumerate Active Directory computers, alongside network discovery commands such as net share, ipconfig /all, and systeminfo. Product Affected Versions Fixed Versions Remote Support (RS) 25.3.1 and prior Patch BT26-02-RS (v21.3–25.3.1) Privileged Remote Access (PRA) 24.3.4 and prior Patch BT26-02-PRA (v22.1–24.X) Arctic Wolf investigators noted the use of PSExec and Impacket SMBv2 session setup requests, suggesting coordinated propagation of the SimpleHelp tool across multiple networked hosts. Security experts strongly advise patching all vulnerable versions immediately. All cloud-based BeyondTrust customers are already protected. CISA advises that self-hosted deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded before applying the patch. Administrators should review systems for unauthorized SimpleHelp binaries, suspicious admin accounts, and unusual network traffic related to SMB sessions. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Chrome Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution Cyber Security News Oracle Issues Urgent Security Update for Critical RCE Flaw in Identity Manager and Web Services Manager Cyber AI Anthropic Launches Projects Feature for Claude Cowork Desktop Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026