A critical vulnerability, CVE-2026-1731, affecting self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments.
This security flaw allows unauthenticated attackers to inject operating system commands, effectively granting them remote code execution capabilities.
The severity of this campaign has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the issue by February 16, 2026.
While cloud customers were automatically secured earlier this month, self-hosted environments remain at significant risk if left unpatched.
Technical Analysis and Exploitation
The observed attack chain begins with the exploitation of the unpatched BeyondTrust appliance, leading to the deployment of the SimpleHelp Remote Monitoring and Management tool to establish persistence.
Attackers attempt to evade detection by renaming the SimpleHelp binaries to generic filenames, such as “remote access.exe,” and executing them directly from the ProgramData root directory.
| CVE ID | Severity | Description |
|---|---|---|
| CVE-2026-1731 | Critical | BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability allowing unauthenticated remote attackers to execute operating system commands in the context of the site user. |
Arctic Wolf researchers have detected that once access is established, the threat actors move quickly to escalate privileges within the network.
They utilize standard Windows commands to create new domain accounts and immediately add them to high-privilege groups, specifically the Enterprise Admins and Domain Admins groups.
This escalation grants the attackers full control over the victim’s Active Directory environment.
Following the privilege escalation, the attackers employ tools like AdsiSearcher to inventory Active Directory computers and gather intelligence on the network structure.
Affected Products and Fixes
| Product | Affected Version | Required Fix |
|---|---|---|
| Remote Support (RS) | 25.3.1 and prior | Patch BT26-02-RS (v21.3 – 25.3.1) |
| Privileged Remote Access (PRA) | 24.3.4 and prior | Patch BT26-02-PRA (v22.1 – 24.X) |
Discovery activities also include the execution of commands to list network shares and system configuration details.
To expand their foothold, the threat actors utilize PSexec to execute SimpleHelp installations across multiple devices and use Impacket for lateral movement via SMBv2 session setup requests.
Organizations using self-hosted versions of Remote Support and Privileged Remote Access must apply the available security updates immediately to prevent system compromise.
BeyondTrust has confirmed that all cloud-based instances were automatically patched on February 2, 2026, and require no further user action.
However, on-premises administrators must manually install patches BT26-02-RS or BT26-02-PRA depending on their product version.
It is crucial to note that customers running older versions of the software must first upgrade to a supported version before the patch can be applied.
CISA emphasizes that successful exploitation requires no user interaction and can lead to total system compromise, data exfiltration, and service disruption.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
