A critical vulnerability in BeyondTrust Remote Support and Privileged Remote Access, CVE-2026-1731, rated CVSS 9.9, is under active exploitation as attackers use the flaw to plant backdoors and map corporate networks. Arctic Wolf observed threat actors deploying SimpleHelp, a legitimate RMM tool, to maintain persistence after exploiting the flaw, renaming binaries to generic names such as remote access[.]exe and running them from the ProgramData root under the SYSTEM account.
In a reported “Discovery” phase, attackers inventory Active Directory computers with AdsiSearcher and run commands like systeminfo and ipconfig to understand their foothold. They are also attempting to add users to high-privilege groups, including enterprise admins and domain admins, indicating a search for elevated access. Lateral movement features PSexec to spread the SimpleHelp infection and Impacket for SMBv2 session requests.
BeyondTrust says cloud customers were patched automatically on 2 February 2026, while self-hosted customers must apply the updates manually; administrators are strongly advised to patch the affected versions promptly.