Critical BeyondTrust Vulnerability Exploited to Gain Full Domain Control
A critical security flaw, identified as CVE-2026-1731, has been actively exploited, allowing attackers to achieve full domain control over affected systems. This vulnerability resides in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) software, enabling unauthenticated threat actors to execute operating system commands remotely.
Technical Overview
CVE-2026-1731 is a pre-authentication remote code execution (RCE) vulnerability stemming from an OS command injection weakness. With a CVSS severity score of 9.9 out of 10, this flaw permits attackers to run arbitrary OS commands without requiring authentication or user interaction. Successful exploitation can lead to unauthorized access, data exfiltration, and service disruption.
Affected Versions
– Remote Support (RS): Versions 25.3.1 and earlier
– Privileged Remote Access (PRA): Versions 24.3.4 and earlier
Patch Availability
BeyondTrust released patches for all active customers as of February 2, 2026. Cloud-hosted instances were updated automatically. Self-hosted customers not subscribed to automatic updates are urged to apply patches manually. Users with older versions must upgrade to newer supported releases to mitigate the vulnerability.
Exploitation Details
Security researchers Harsh Jaiswal and the Hacktron AI team discovered the flaw, noting approximately 11,000 internet-exposed instances, with about 8,500 being self-hosted deployments potentially still vulnerable if patches aren’t applied. BeyondTrust confirmed there is currently no evidence of the flaw being exploited in the wild.
Recommendations
– Immediate Patching: Apply the latest patches provided by BeyondTrust to mitigate the vulnerability.
– System Review: Examine systems for unauthorized SimpleHelp binaries, suspicious administrative accounts, and unusual network traffic related to SMB sessions.
– Access Control: Limit exposure by restricting access to BeyondTrust instances from untrusted networks.
This incident underscores the critical importance of timely patch management and vigilant monitoring of remote access tools to prevent unauthorized system control and potential data breaches.
