Exploited in the Wild: Critical BeyondTrust Flaw (CVSS 9.9) Opens Door to Network Takeover
Ddos 
Image: win3zz
A critical vulnerability in widely used remote access software is currently under active attack, with threat actors using the flaw to plant backdoors and scout corporate networks. Arctic Wolf has issued a warning regarding CVE-2026-1731, a nearly maximum-severity flaw (CVSS 9.9) in self-hosted BeyondTrust Remote Support and Privileged Remote Access environments.
The vulnerability, which allows unauthenticated attackers to execute operating system commands, has already been added to CISAβs Known Exploited Vulnerabilities (KEV) Catalog, signaling an immediate threat to organizations that haven’t patched.
While the vulnerability opens the door, it’s what attackers are bringing inside that is raising alarms. Arctic Wolf observed threat actors using the exploit to deploy SimpleHelp, a legitimate Remote Monitoring and Management (RMM) tool, to maintain persistence on compromised systems.
To hide their tracks, the attackers aren’t running SimpleHelp openly. They are renaming the binariesβoften to generic names like remote access.exeβand executing them from the ProgramData root directory using the SYSTEM account.
Once inside, the adversaries move quickly to map out the network. The report details a “Discovery” phase where attackers use tools like AdsiSearcher to inventory Active Directory computers and run standard commands like systeminfo and ipconfig to understand their foothold.
More dangerously, they are actively hunting for administrative power. Arctic Wolf observed commands attempting to add users to high-privilege groups:
- net group “enterprise admins” REDACTED_USERNAME /add /domain
- net group “domain admins” REDACTED_USERNAME /add /domain
Lateral movement is also in play, with attackers utilizing PSexec to spread the SimpleHelp infection across the environment and employing Impacket for SMBv2 session requests.
BeyondTrust confirmed that their cloud customers were patched automatically on February 2, 2026, and require no action. However, self-hosted customers are on their own and must manually apply the updates immediately.
Arctic Wolf “strongly recommends” that administrators apply the fixes immediately.
- Remote Support (RS): Patch if on version 25.3.1 and prior.
- Privileged Remote Access (PRA): Patch if on version 24.3.4 and prior.
Related Posts:
- CVE-2026-1731: Critical BeyondTrust Flaw (CVSS 9.9) Allows Pre-Auth RCE
- Unauthenticated RCE in BeyondTrust Tools: Chat Feature Opens Door to Server Takeover
- Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
- CISA Warns of Active Exploitation of Critical Flaws in BeyondTrust and Qlik Sense
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
