{"id":10683,"date":"2026-02-16T10:03:38","date_gmt":"2026-02-16T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/16\/critical-beyondtrust-vulnerability-exploited-in-the-wild-to-gain-full-domain-control\/"},"modified":"2026-02-16T10:03:38","modified_gmt":"2026-02-16T10:03:38","slug":"critical-beyondtrust-vulnerability-exploited-in-the-wild-to-gain-full-domain-control","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/16\/critical-beyondtrust-vulnerability-exploited-in-the-wild-to-gain-full-domain-control\/","title":{"rendered":"Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control"},"content":{"rendered":"<p>    Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical vulnerability tracked as\u00a0CVE-2026-1731 is being actively exploited in the wild, enabling attackers to gain\u00a0<a href=\"https:\/\/cybersecuritynews.com\/windows-server-2025-restart-bug\/\" target=\"_blank\" rel=\"noreferrer noopener\">full domain control\u00a0over affected systems.<\/a><\/p>\n<p>Threat actors are leveraging this flaw to execute operating system commands remotely without authentication.<\/p>\n<p>The flaw, discovered in self-hosted BeyondTrust deployments, allows unauthenticated attackers to <a href=\"https:\/\/cybersecuritynews.com\/pan-os-admin-command-injection-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">run arbitrary OS commands<\/a> via specially crafted HTTP requests, executing them under the site user\u2019s privileges.<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/beyondtrust-remote-access-products-0-day-vulnerability\/\" id=\"https:\/\/cybersecuritynews.com\/beyondtrust-remote-access-products-0-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cloud-ho<\/a><a href=\"https:\/\/cybersecuritynews.com\/beyondtrust-remote-access-products-0-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">sted BeyondTrust instances<\/a> have already been automatically patched as of\u00a0February 2, 2026. However, self-hosted customers must apply updates manually to mitigate exploitation risks.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-technical-details\"><strong>Technical Details<\/strong><\/h2>\n<p>Arctic Wolf\u2019s analysis revealed attackers deploying\u00a0SimpleHelp Remote Access\u00a0binaries as part of their post-exploitation activity.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>CVE ID<\/th>\n<th>CVSS Score<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>CVE-2026-1731<\/strong><\/td>\n<td>9.8 (Critical)<\/td>\n<td>Unauthenticated OS command injection in BeyondTrust RS and PRA enabling remote code execution and full system compromise.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>These binaries were created through BeyondTrust Bomgar processes running under the <a href=\"https:\/\/cybersecuritynews.com\/windows-11-new-security-feature\/\" target=\"_blank\" rel=\"noreferrer noopener\">SYSTEM account<\/a> and saved in the\u00a0ProgramData\u00a0directory, commonly named\u00a0<em>remote access.exe<\/em>.<\/p>\n<p>The attackers used\u00a0net user\u00a0and\u00a0net group\u00a0commands to create privileged domain accounts, effectively granting themselves\u00a0Enterprise Admin\u00a0or\u00a0Domain Admin\u00a0rights.<\/p>\n<p>For reconnaissance, the\u00a0AdsiSearcher\u00a0function was executed to enumerate <a href=\"https:\/\/cybersecuritynews.com\/windows-smb-client-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">Active Directory computers<\/a>, alongside network discovery commands such as\u00a0net share,\u00a0ipconfig \/all, and\u00a0systeminfo.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Product<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Affected Versions<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Fixed Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>Remote Support (RS)<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">25.3.1 and prior<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Patch BT26-02-RS (v21.3\u201325.3.1)<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>Privileged Remote Access (PRA)<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">24.3.4 and prior<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Patch BT26-02-PRA (v22.1\u201324.X)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><a href=\"https:\/\/arcticwolf.com\/resources\/blog\/update-arctic-wolf-observes-threat-campaign-targeting-beyondtrust-remote-support-following-cve-2026-1731-poc-availability\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Arctic Wolf investigators noted<\/a> the use of\u00a0PSExec\u00a0and\u00a0Impacket SMBv2 session setup requests, suggesting coordinated propagation of the SimpleHelp tool across multiple networked hosts.<\/p>\n<p>Security experts strongly advise patching all vulnerable versions immediately. All\u00a0cloud-based\u00a0BeyondTrust customers are already protected.<\/p>\n<p><a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-1731\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CISA advises<\/a> that self-hosted deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded before applying the patch.<\/p>\n<p>Administrators should review systems for unauthorized\u00a0<em>SimpleHelp<\/em> binaries, suspicious admin accounts, and unusual <a href=\"https:\/\/cybersecuritynews.com\/analyzing-malwares-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">network traffic<\/a> related to SMB sessions.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/beyondtrust-vulnerability-exploited\/\">Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/beyondtrust-vulnerability-exploited\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control A critical vulnerability tracked as\u00a0CVE-2026-1731 is being actively exploited in the wild, enabling attackers to gain\u00a0full domain control\u00a0over affected systems. Threat actors are leveraging this flaw to execute operating system commands remotely without authentication. The flaw, discovered in self-hosted BeyondTrust deployments, allows unauthenticated [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,2169,131],"tags":[130],"class_list":["post-10683","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-exploit","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10683"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10683"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10683\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}