Critical BeyondTrust Vulnerability Exploited, Granting Attackers Full Domain Control
A critical security flaw, identified as CVE-2026-1731, has been actively exploited, allowing unauthorized attackers to gain full domain control over affected systems. This vulnerability resides in self-hosted deployments of BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) solutions, enabling remote execution of operating system commands without authentication.
Technical Overview
The vulnerability is a command injection flaw that permits unauthenticated attackers to execute arbitrary OS commands via specially crafted HTTP requests. These commands run under the privileges of the site user, potentially leading to complete system compromise.
Affected Versions and Patches
The following versions are impacted:
– Remote Support (RS): Versions 25.3.1 and earlier.
– Privileged Remote Access (PRA): Versions 24.3.4 and earlier.
BeyondTrust has released patches to address this vulnerability:
– RS: Patch BT26-02-RS for versions 21.3 through 25.3.1.
– PRA: Patch BT26-02-PRA for versions 22.1 through 24.x.
Cloud-hosted instances have been automatically updated as of February 2, 2026. Self-hosted customers must manually apply these patches to mitigate the risk of exploitation.
Exploitation Details
Security firm Arctic Wolf has observed attackers leveraging this vulnerability to deploy SimpleHelp Remote Access binaries. These binaries are created through BeyondTrust Bomgar processes running under the SYSTEM account and are typically saved in the ProgramData directory with names like remote access.exe.
Attackers have been using commands such as `net user` and `net group` to create privileged domain accounts, effectively granting themselves Enterprise Admin or Domain Admin rights. For reconnaissance, they execute the `AdsiSearcher` function to enumerate Active Directory computers and use network discovery commands like `net share`, `ipconfig /all`, and `systeminfo`.
Further analysis indicates the use of tools like PSExec and Impacket SMBv2 session setup requests, suggesting coordinated propagation of the SimpleHelp tool across multiple networked hosts.
Mitigation Recommendations
Administrators are strongly advised to:
1. Apply Patches Promptly: Ensure that all self-hosted deployments are updated with the latest patches provided by BeyondTrust.
2. Review Systems for Indicators of Compromise (IoCs): Check for unauthorized SimpleHelp binaries, suspicious administrative accounts, and unusual network traffic related to SMB sessions.
3. Upgrade Older Versions: Deployments running versions older than RS 21.3 or PRA 22.1 must first be upgraded before applying the patch.
By taking these steps, organizations can protect their systems from potential exploitation and maintain the integrity of their domain environments.
