Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Critical BeyondTrust RS vulnerability exploited in active attacks

Researchers warn that a critical vulnerability patched this week in BeyondTrust Remote Support is being exploited in the wild to compromise self-hosted deployments, including Bomgar remote support appliances, which included affected versions of the impacted software.

Bomgar, a provider of privileged identity and access management products, acquired BeyondTrust in 2018, adopting the latter’s brand name. Bomgar on-premises hardware appliances, known as BeyondTrust B-series appliances, provide secure remote access to enterprise networks, but many hardware models have reached end of life, with customers encouraged to upgrade to either the virtual appliance or BeyondTrust’s SaaS offerings: Privileged Remote Access (Cloud) and Remote Support (Cloud).

Researchers from security firm Arctic Wolf have detected attacks that compromised Bomgar appliances through the CVE-2026-1731 flaw patched this week. The attackers attempted to then deploy the SimpleHelp remote management and monitoring (RMM) tool and perform lateral movement to other systems on the network.

“Renamed SimpleHelp binaries were created through Bomgar processes using the SYSTEM account,” the researchers said in a report today. “These executables were saved to the ProgramData root directory and executed from there. Binary names include remote access.exe and others.”

The attackers also managed to create domain accounts using the net user command and then added them to administrative groups such as “enterprise admins” or “domain admins.”

The AdsiSearcher tool was used to search the Active Directory environment for other computers and PSexec was used to install SimpleHelp on multiple devices.

The researchers also observed Impacket SMBv2 session setup requests in affected environments. Impacket is a Python library that can be used to decode network traffic and is often used in conjunction with sniffing tools.

CVE-2026-1731 is a critical pre-authentication command injection vulnerability that impacts BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The company released patches for multiple versions of the impacted software, but older versions of RS need to be updated first before the patch can be applied, which could be a problem for appliances that are no longer supported and have reached end of life.

A proof-of-concept exploit was published on GitHub so it’s not surprising that attacks followed soon after. As a remote access solution, BeyondTrust RS is an attractive target for both state-sponsored attackers and ransomware groups. The US Department of the Treasury had some of its workstations compromised after hackers exploited vulnerabilities in SaaS instances of BeyondTrust RS.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.