Hackers Actively Exploit Critical BeyondTrust RCE Flaw
▼ Summary
– Attackers are actively exploiting a critical OS command injection vulnerability (CVE-2026-1731) in internet-facing BeyondTrust Remote Support and Privileged Remote Access instances.
– The flaw is in the `get_portal_info` endpoint and is effectively a variant of a previous vulnerability (CVE-2024-12356) exploited by Chinese state-sponsored attackers.
– Widespread internet scanning and reconnaissance activity for this vulnerability has been detected, primarily from a single IP associated with a known scanning operation.
– BeyondTrust has released a patch, urging on-premises customers to apply it immediately, and organizations that have not patched should assume compromise.
– Post-exploitation activity has been observed, including attempts to deploy remote management tools for persistence and lateral movement within networks.
A critical security flaw in BeyondTrust’s remote access software is now under active attack, with hackers exploiting unpatched systems to gain unauthorized control. The vulnerability, tracked as CVE-2026-1731, is a severe command injection issue affecting internet-facing instances of BeyondTrust Remote Support and Privileged Remote Access. Security experts warn that unauthenticated attackers can leverage this flaw to run arbitrary commands on vulnerable servers, posing a significant risk to organizations that have not yet applied the available patch.
Threat intelligence firm watchTowr confirmed the exploitation, noting that attackers are specifically abusing the `getportalinfo` function. “Attackers are abusing getportalinfo to extract the x-ns-company value before establishing a WebSocket channel,” stated Ryan Dewhurst, Head of Threat Intelligence at watchTowr. This activity follows the public release of a technical analysis and proof-of-concept exploit by Rapid7 researchers earlier this week.
Monitoring by companies like Defused Cyber and GreyNoise has detected widespread scanning and limited exploitation. “So far we have observed exploits leveraging the Nuclei script, but no other variations of the exploit,” reported Defused Cyber. GreyNoise researchers highlighted that the flaw is effectively a variant of a previous critical vulnerability, CVE-2024-12356, which was famously exploited by Chinese state-sponsored actors in a breach of the US Treasury Department. They noted it involves the “Same WebSocket endpoint, different code path.”
GreyNoise, which specializes in tracking internet-facing threats, observed a significant spike in reconnaissance activity originating largely from a single IP address associated with a known scanning operation. Their analysis revealed an interesting tactic: while standard deployments use HTTPS on port 443, most scanning sessions targeted clusters of non-standard ports. This suggests attackers are aware that many organizations move BeyondTrust to non-default ports in an attempt to hide them, a strategy known as security through obscurity.
BeyondTrust released a patch for this vulnerability to all its SaaS customers on February 2 and has strongly urged on-premises customers to apply updates immediately. Organizations that have not yet patched should assume their systems are compromised and begin a thorough investigation. The window for passive defense has closed, and proactive incident response is now essential.
In a recent update, Arctic Wolf reported detecting attacks that use CVE-2026-1731 to deploy the SimpleHelp remote monitoring and management tool. This activity is aimed at establishing persistence within a network, followed by discovery and lateral movement efforts. Similarly, Darktrace has provided a list of anomalous behaviors and post-exploitation actions that could indicate a system has been breached.
(Source: HelpNet Security)
