A critical pre-authentication command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is now being actively exploited in the wild, with threat actors targeting self-hosted deployments including legacy Bomgar appliances.
Vulnerability Overview
According to CSO Online, the vulnerability tracked as CVE-2026-1731 is a critical-severity flaw that allows unauthenticated attackers to execute arbitrary commands on vulnerable systems.
Bomgar, a provider of privileged identity and access management products that acquired BeyondTrust in 2018, sold on-premises hardware appliances known as B-series appliances. Many of these hardware models have reached end-of-life status, leaving organizations running legacy deployments particularly vulnerable.
Active Exploitation Observed
Security researchers from Arctic Wolf have detected attacks compromising Bomgar appliances through the CVE-2026-1731 flaw. The observed attack chain demonstrates sophisticated post-exploitation techniques:
- Initial Access: Exploitation of CVE-2026-1731 on vulnerable Bomgar/BeyondTrust appliances
- Persistence: Deployment of SimpleHelp RMM tool using renamed binaries
- Privilege Escalation: Creation of domain accounts using net user command
- Admin Group Membership: Addition of malicious accounts to Enterprise Admins or Domain Admins groups
- Lateral Movement: Use of AdsiSearcher for Active Directory reconnaissance and PSexec for multi-device SimpleHelp deployment
- Network Reconnaissance: Impacket SMBv2 session setup requests observed
Attack Details
Arctic Wolf researchers noted that renamed SimpleHelp binaries were created through Bomgar processes using the SYSTEM account. These executables were saved to the ProgramData root directory with names like remote access.exe before being executed.
Proof-of-Concept Published
A proof-of-concept exploit for CVE-2026-1731 has been published on GitHub, which likely accelerated the transition from theoretical vulnerability to active exploitation.
High-Value Target
BeyondTrust Remote Support is an attractive target for both state-sponsored attackers and ransomware groups. The U.S. Department of the Treasury previously had workstations compromised after hackers exploited vulnerabilities in SaaS instances of BeyondTrust RS.
Remediation Recommendations
- Apply patches immediately for all supported versions of RS and PRA
- Assess legacy deployments – older versions may require upgrades before patches can be applied
- Consider migration to BeyondTrust SaaS offerings if running end-of-life appliances
- Monitor for indicators of compromise including unexpected SimpleHelp deployments and suspicious domain account creation
- Review Active Directory for unauthorized accounts in administrative groups
- Implement network segmentation to limit lateral movement potential
Source: CSO Online
