BeyondTrust RCE Exploited in the Wild: What You Need to Know

🚨 IMMEDIATE ACTION REQUIRED: CISA's remediation deadline is February 16, 2026—that's tomorrow. If you run BeyondTrust Remote Support or Privileged Remote Access on-premises, stop reading and patch now. Then come back and check for compromise.

TL;DR — The 60-Second Briefing

• CVE-2026-1731: Pre-authentication RCE in BeyondTrust Remote Support and Privileged Remote Access
• CVSS Score: 9.9 (Critical) — No auth required, low complexity, network exploitable
• Active Exploitation: Confirmed since February 11, 2026 — within 24 hours of PoC release
• Silk Typhoon Connection: Variant of flaws used in the December 2024 U.S. Treasury breach
• Affected Systems: ~8,500 on-premises instances globally
• CISA KEV Deadline: February 16, 2026 (FCEB agencies), but everyone should treat this as mandatory
• Discovery: Found by Hacktron AI using AI-enabled variant analysis

If you're unpatched since February 6: Assume breach. Hunt for indicators. Patch immediately.

CISA Is Secretly Updating Its Vulnerability Catalog—And Your Security Team Is Probably Missing It

The federal government is quietly flagging vulnerabilities as ransomware-related without telling anyone. In 2025, 59 CVEs silently changed status. Here’s what security teams need to know. The Silent Intelligence Gap Picture this: Your security team meticulously reviews CISA’s Known Exploited Vulnerabilities (KEV) catalog. You prioritize patches based on what’s actively

Security Careers HelpSecurity Careers

The Stakes: Why This Matters

BeyondTrust isn't just another software vendor. With 20,000+ customers including 75% of the Fortune 100, their Remote Support and Privileged Remote Access products sit at the most sensitive junction of enterprise networks: privileged access management (PAM).

Compromising a PAM solution is the security equivalent of stealing the master key to every door in a building. Attackers don't just get access to one system—they get the keys to everything.

This is exactly what happened in December 2024 when Silk Typhoon (the Chinese APT formerly known as Hafnium) exploited earlier BeyondTrust vulnerabilities to breach the U.S. Treasury Department, accessing:

• Office of Foreign Assets Control (OFAC) — sanctions intelligence
• Office of the Treasury Secretary — unclassified documents
• Multiple Treasury Department workstations

CVE-2026-1731 is a variant of those same vulnerabilities. Same attack surface. Same high-value target profile. Different code path.

If you're running BeyondTrust in healthcare, financial services, government, or any organization with sensitive data, attackers are already looking for you.

Technical Breakdown: How CVE-2026-1731 Works

Vulnerability Summary

The Attack Chain

CVE-2026-1731 exploits improper input validation in BeyondTrust's request handling. Here's the simplified attack flow:

┌─────────────────────────────────────────────────────────────────┐
│  ATTACKER                                                        │
│                                                                  │
│  Step 1: GET /get_portal_info                                    │
│          ↓                                                       │
│  Step 2: Extract X-Ns-Company header from response               │
│          ↓                                                       │
│  Step 3: Establish WebSocket connection using company ID         │
│          ↓                                                       │
│  Step 4: Execute arbitrary OS commands as site user              │
│          ↓                                                       │
│  COMPLETE SYSTEM COMPROMISE                                      │
└─────────────────────────────────────────────────────────────────┘

What makes this devastating:

1. No authentication required — Attackers don't need valid credentials
2. No user interaction — No phishing, no clicks needed
3. Low complexity — Script-kiddie accessible once PoC is public
4. WebSocket-based — May bypass some security controls
5. Runs as site user — Immediate privileged access to PAM system

Affected Products and Versions

Important: PRA versions 25.1 and later are NOT affected.

Cloud/SaaS customers: BeyondTrust auto-patched all SaaS deployments on February 2, 2026. If you're fully cloud-hosted, you should already be protected—but verify with BeyondTrust.

Self-hosted customers: You must manually apply patches. This is where the risk concentrates.

The 72-Hour Window: Timeline of a Disaster

The speed of exploitation on this vulnerability is a case study in why "patch Tuesday, exploit Wednesday" is no longer a meme—it's operational reality.

The brutal math:

• 4 days between public disclosure and PoC release
• 24 hours from PoC to active exploitation
• 72 hours from first exploitation to sophisticated post-exploitation (RMM deployment, AD enumeration)

If you weren't patched by February 10, you were potentially already being probed. By February 11, you were actively being exploited.

The AI Discovery: How Hacktron AI Found the Variant

This is the first major vulnerability discovered by AI-enabled variant analysis that's been actively exploited in the wild.

What Happened

Hacktron AI, a security research platform, analyzed the attack surface from the December 2024 Treasury breach (CVE-2024-12356 + CVE-2024-12686). Using pattern recognition and code flow analysis, their AI identified a new code path in the same vulnerable WebSocket endpoint that could achieve similar results—command injection without authentication.

Why This Matters for Defenders

AI is now on offense and defense.

The same techniques that helped Hacktron AI find CVE-2026-1731 are being used by threat actors to:

• Automatically discover variant vulnerabilities after patches
• Generate exploit code from vulnerability descriptions
• Scale vulnerability research beyond human capacity

This changes the calculus on patch windows. If AI can find variants faster than humans, the "safe period" after a patch shrinks dramatically.

Implication: When you patch one CVE in a product, assume variants exist and harden the entire attack surface.

Threat Actor Profile: Who's Exploiting This?

The Silk Typhoon Connection

CVE-2026-1731 is directly related to the vulnerabilities Silk Typhoon used in the Treasury breach:

Timeline pattern:

Dec 2024: CVE-2024-12356 + 12686 → Silk Typhoon breaches Treasury
Jan 2025: Old exploit chain still being replayed (Polish IP)
Jan 2026: Hacktron AI finds variant via AI analysis
Feb 2026: CVE-2026-1731 weaponized within 24 hours of PoC

While we can't definitively attribute current exploitation to Silk Typhoon, the attack surface overlap is not coincidental.

Current Threat Actor Observations

Based on GreyNoise and Arctic Wolf telemetry:

TLS Fingerprint Match: GreyNoise observed the same TLS fingerprint (JA4+ MSS 1358) from actors still exploiting the old CVE-2024-12356 chain—now scanning for CVE-2026-1731.

Post-Exploitation: What Happens After They Get In

Arctic Wolf's threat research team observed sophisticated post-exploitation activity following successful CVE-2026-1731 exploitation:

Attack Progression

┌────────────────────────────────────────────────────────────────┐
│  INITIAL ACCESS                                                 │
│  └─► CVE-2026-1731 exploitation via WebSocket                   │
│                                                                 │
│  PERSISTENCE                                                    │
│  └─► SimpleHelp RMM deployed                                    │
│      - Binary renamed to "remote access.exe"                    │
│      - Saved to C:\ProgramData\                                 │
│                                                                 │
│  DISCOVERY                                                      │
│  └─► System enumeration                                         │
│      - systeminfo, ipconfig /all, net share                     │
│      - AD enumeration via AdsiSearcher                          │
│                                                                 │
│  PRIVILEGE ESCALATION                                           │
│  └─► Domain account creation                                    │
│      - net user [USER] [PASS] /add /domain                      │
│      - net group "enterprise admins" [USER] /add /domain        │
│      - net group "domain admins" [USER] /add /domain            │
│                                                                 │
│  LATERAL MOVEMENT                                               │
│  └─► PSexec + Impacket SMBv2                                    │
│      - SimpleHelp pushed to additional hosts                    │
│                                                                 │
│  OBJECTIVES                                                     │
│  └─► Data exfiltration, ransomware staging, persistent access   │
└────────────────────────────────────────────────────────────────┘

Why SimpleHelp?

Attackers are deploying SimpleHelp (a legitimate remote support tool) for persistence because:

1. Signed binary — Less likely to trigger AV/EDR
2. Legitimate use case — Blends with normal IT operations
3. Full remote access — Keyboard, mouse, file transfer, command line
4. Cross-platform — Works on Windows, Mac, Linux

This is a classic "living off the land" (LOL) technique, but with an externally-sourced legitimate tool instead of built-in OS utilities.

Indicators of Compromise (IOCs)

Network Indicators

File System Artifacts

Process Indicators

SimpleHelp Post-Exploitation Identifiers

Detection Rules

Suricata/Snort Rules

# Rule 1: BeyondTrust CVE-2026-1731 Reconnaissance
alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"BEYONDTRUST CVE-2026-1731 Reconnaissance - get_portal_info";
  flow:to_server,established;
  http.uri; content:"/get_portal_info";
  classtype:attempted-recon;
  sid:2026173101; rev:1;
)

# Rule 2: BeyondTrust CVE-2026-1731 WebSocket Exploitation
alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"BEYONDTRUST CVE-2026-1731 WebSocket Exploitation Attempt";
  flow:to_server,established;
  http.header; content:"Upgrade|3a| websocket";
  http.header; content:"X-Ns-Company";
  classtype:attempted-admin;
  sid:2026173102; rev:1;
)

Splunk Queries

Query 1: BeyondTrust Suspicious Access Patterns

index=web sourcetype=*access* 
(uri="/get_portal_info" OR uri_path="*websocket*")
| stats count by src_ip, uri, status
| where count > 5
| sort -count

Query 2: Domain Admin Group Modifications

index=windows EventCode=4728 OR EventCode=4732
(TargetUserName="Domain Admins" OR TargetUserName="Enterprise Admins")
| table _time, SubjectUserName, MemberName, TargetUserName, ComputerName
| sort -_time

Query 3: SimpleHelp Installation Detection

index=endpoint 
(process_name="remote access.exe" OR 
 process_path="*\\ProgramData\\*" OR
 process_command_line="*SimpleHelp*")
| table _time, host, user, process_name, process_path, parent_process

Microsoft Sentinel (KQL)

Query 1: SimpleHelp Post-Exploitation Detection

DeviceProcessEvents
| where FileName =~ "remote access.exe" 
   or ProcessCommandLine contains "SimpleHelp"
   or InitiatingProcessFileName contains "bomgar"
| project Timestamp, DeviceName, ProcessCommandLine, 
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

Query 2: Suspicious Domain Account Creation

DeviceProcessEvents
| where ProcessCommandLine has_all ("net", "user", "/add", "/domain")
   or ProcessCommandLine has_all ("net", "group", "admins", "/add")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName
| sort by Timestamp desc

Query 3: AD Enumeration via AdsiSearcher

DeviceProcessEvents
| where ProcessCommandLine contains "adsiSearcher"
   or ProcessCommandLine contains "ObjectClass=computer"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

Elastic/ELK Query

Lateral Movement and Privilege Escalation Detection

process.name:"net.exe" AND 
process.command_line:(*"enterprise admins"* OR *"domain admins"* OR *"/add /domain"*)

GreyNoise Tracking

For real-time threat intelligence on scanners and exploitation attempts:

# GreyNoise Query
cve:CVE-2026-1731

GreyNoise Tag: BeyondTrust Remote Support Pre-Auth RCE CVE-2026-1731 Company Identifier Check

Remediation Steps: What To Do Right Now

Priority 1: IMMEDIATE (Next 2 Hours)

If you're reading this on February 15, 2026, you have less than 24 hours until the CISA deadline.

Step 1: Identify Your Exposure

# Check for BeyondTrust services
systemctl list-units | grep -i bomgar
systemctl list-units | grep -i beyondtrust

# Check installed versions (varies by install method)
ls -la /opt/bomgar/
cat /opt/bomgar/VERSION  # if exists

For Windows:

# Check for BeyondTrust services
Get-Service | Where-Object {$_.Name -like "*bomgar*" -or $_.Name -like "*beyondtrust*"}

# Check version in registry
Get-ItemProperty "HKLM:\SOFTWARE\Bomgar\*" -ErrorAction SilentlyContinue

Step 2: Apply the Patch

Remote Support (RS):

• If running 21.3 through 25.3.1: Apply Patch BT26-02-RS
• Or upgrade to v25.3.2 or later
• Download from: BeyondTrust Support Portal

Privileged Remote Access (PRA):

• If running 22.1 through 24.X: Apply Patch BT26-02-PRA
• Or upgrade to v25.1.1 or later
• Note: PRA 25.1+ is not affected

Step 3: Verify Patching

After applying the patch:

# Verify service restarted
systemctl status beyondtrust-*

# Check version number matches fixed version
# Consult BeyondTrust docs for version verification method

Priority 2: THREAT HUNT (Next 24 Hours)

Assume compromise if you were unpatched since February 6.

Step 1: Search for Post-Exploitation Artifacts

# Look for SimpleHelp binaries
Get-ChildItem -Path C:\ProgramData\ -Recurse -File | 
  Where-Object {$_.Name -like "*remote access*" -or $_.Name -like "*simplehelp*"}

# Check for suspicious services
Get-Service | Where-Object {$_.DisplayName -like "*SimpleHelp*" -or $_.DisplayName -like "*Remote Access*"}

Step 2: Check for Unauthorized Domain Accounts

# Recently created domain accounts (last 14 days)
$cutoff = (Get-Date).AddDays(-14)
Get-ADUser -Filter {whenCreated -gt $cutoff} -Properties whenCreated | 
  Select-Object Name, SamAccountName, whenCreated

# Check Enterprise Admins group membership
Get-ADGroupMember "Enterprise Admins" | Select-Object Name, SamAccountName

# Check Domain Admins group membership
Get-ADGroupMember "Domain Admins" | Select-Object Name, SamAccountName

Step 3: Review BeyondTrust Logs

Check application logs for:

• Unusual login attempts
• API access from unexpected IPs
• Session anomalies around February 10-15

Priority 3: HARDEN (Next 7 Days)

Network Segmentation

1. Restrict BeyondTrust access to known IP ranges
2. Block inbound access from untrusted networks
3. Monitor WebSocket connections for anomalies
4. Implement network detection rules (see Detection Rules section)

Logging and Monitoring

1. Enable verbose logging on BeyondTrust systems
2. Forward logs to SIEM for analysis
3. Set up alerts for IOCs listed above
4. Monitor AD group changes (Event IDs 4728, 4732)

Incident Response Readiness

1. Brief IR team on attack patterns
2. Document BeyondTrust architecture (versions, network placement)
3. Prepare containment procedures (isolation playbooks)
4. Establish communication channels with BeyondTrust support

Priority 4: LONG-TERM (30 Days)

Review PAM Security Posture

1. Audit internet exposure of all PAM solutions
2. Implement MFA for all privileged access
3. Review API key management (Treasury breach used stolen API key)
4. Consider network isolation for PAM systems

Vulnerability Management Improvements

1. Subscribe to BeyondTrust security advisories
2. Monitor CISA KEV catalog for additions
3. Prioritize PAM patching in your program
4. Reduce patch-to-deploy time for critical assets

If You're Already Compromised

If your threat hunt reveals indicators of compromise:

Immediate Containment

1. Isolate affected systems from the network
2. Disable compromised accounts (especially new domain admins)
3. Revoke BeyondTrust API keys and rotate credentials
4. Preserve evidence (memory dumps, disk images, logs)

Investigation Scope

Assume attackers had:

• Access to all systems reachable via BeyondTrust
• Credentials for any saved sessions
• Visibility into privileged operations
• Potential persistence mechanisms beyond SimpleHelp

External Assistance

Consider engaging:

• Incident response firm (Arctic Wolf, Mandiant, CrowdStrike)
• BeyondTrust support (they may have additional IOCs)
• Law enforcement (FBI IC3) if significant data loss

Notification Requirements

Depending on your industry:

• HIPAA: Breach notification within 60 days
• PCI DSS: Notify card brands immediately
• SEC registrants: 8-K filing within 4 business days (material incidents)
• State breach laws: Vary by jurisdiction

Key Takeaways

For Security Teams

1. Patch by EOD today — CISA deadline is tomorrow (Feb 16)
2. Hunt for compromise — Exploitation started Feb 11; 4+ days of potential exposure
3. Deploy detection rules — Use the Suricata, Splunk, and Sentinel queries provided
4. Watch for SimpleHelp — Primary persistence mechanism observed
5. Monitor domain changes — Attackers create new domain admin accounts rapidly

For CISOs

1. This is Treasury-breach related — Same attack surface as Silk Typhoon's December 2024 operation
2. PAM is a crown jewel — Compromising BeyondTrust = keys to the kingdom
3. AI accelerates both sides — Variant analysis finds new vulns faster; exploit weaponization is near-instant
4. 4-day patch windows are insufficient — Consider emergency patching processes for PAM/IAM

For Incident Responders

1. Assume breach if unpatched since Feb 6 — Threat hunting should be standard procedure
2. Post-exploitation is sophisticated — RMM deployment, AD enumeration, lateral movement observed
3. Multiple actor types active — From opportunistic scanners to potential APT operators
4. Check for persistence beyond BeyondTrust — SimpleHelp provides attacker-controlled remote access

Resources

Official Advisories

• BeyondTrust Security Advisory BT26-02
• CISA KEV Catalog - CVE-2026-1731
• NVD - CVE-2026-1731

Threat Intelligence

• GreyNoise - Reconnaissance Analysis
• Arctic Wolf - Post-Exploitation Activity
• Hacktron AI - Discovery Details

Historical Context

• The Hacker News - Treasury Breach Analysis
• Cybersecurity Dive - Silk Typhoon Connection

About This Advisory

This article was compiled by the HackerNoob Research Team using intelligence from GreyNoise, Arctic Wolf, Hacktron AI, CISA, and BeyondTrust. Given the active exploitation and imminent CISA deadline, we've prioritized speed of publication while ensuring technical accuracy.

If this advisory helped your organization, consider sharing it with peers who may also be affected. The security community is stronger when we share intelligence quickly.