On February 6, 2026, BeyondTrust disclosed a critical pre-authentication remote code execution vulnerability in two of its flagship products: Remote Support (RS) and Privileged Remote Access (PRA). Four days later, a proof-of-concept exploit appeared on GitHub. Within 24 hours of that, attackers were actively scanning the internet for vulnerable instances. By February 13, CISA had added the flaw to its Known Exploited Vulnerabilities catalog and Arctic Wolf was reporting active compromises with lateral movement already underway.
This is what happened, how the attack works, who's been targeted, and what defenders need to do about it.
What the Vulnerability Is
CVE-2026-1731 is an operating system command injection flaw (CWE-78) with a CVSSv4 score of 9.9. It allows an unauthenticated remote attacker to execute arbitrary OS commands on the underlying server by sending specially crafted requests. No credentials are required. No user interaction is needed. Exploitation complexity is low.
In its security advisory (BT26-02), BeyondTrust described the potential impact plainly: successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption.
The vulnerability affects Remote Support versions 25.3.1 and earlier, and Privileged Remote Access versions 24.3.4 and earlier. PRA versions 25.1 and above are not affected.
How It Was Found
The flaw was discovered on January 31, 2026, by Harsh Jaiswal and the Hacktron AI team using what they describe as AI-enabled variant analysis -- an automated approach to identifying vulnerability classes and variants across enterprise software at scale.
This is a significant detail. CVE-2026-1731 is a variant of CVE-2024-12356, a vulnerability in the same WebSocket endpoint that the Chinese state-sponsored group Silk Typhoon used to breach the U.S. Treasury Department in late 2024. As GreyNoise noted in their analysis published February 12, it sits in the same vulnerability class as the Treasury breach flaw -- same WebSocket endpoint, different code path.
Hacktron AI coordinated responsible disclosure with BeyondTrust, and in a post-disclosure note, praised the vendor's response. They said BeyondTrust confirmed the vulnerability promptly, deployed a patch to SaaS customers within two days, and coordinated closely on the public disclosure timeline. BeyondTrust's own advisory echoed this, thanking Jaiswal and the Hacktron AI team for the responsible disclosure and highlighting their novel approach to variant analysis.
Why BeyondTrust Matters as a Target
BeyondTrust Remote Support and Privileged Remote Access are not ordinary enterprise applications. RS provides remote help desk and troubleshooting access to endpoints across an organization. PRA provides controlled, audited access for privileged users like IT administrators and third-party vendors to internal systems. Together, they occupy what GreyNoise described in their blog post as a uniquely sensitive position -- tools designed to manage privileged access to enterprise networks, where compromise gives attackers not just a foothold but the keys to the castle.
The numbers reinforce this. BeyondTrust serves over 20,000 customers in more than 100 countries, including 75 percent of the Fortune 100. Hacktron AI's scan of internet-facing infrastructure identified approximately 11,000 exposed Remote Support instances, with about 8,500 of those being on-premises deployments that need manual patching. According to reporting by The Stack, affected deployments span healthcare, financial services, government, and hospitality sectors. BeyondTrust names the UK's NHS among its customers.
As Rapid7 stated in their emergency threat response advisory, the platform's immense footprint makes it a high-priority target for sophisticated adversaries. That assessment is supported by recent history.
The Silk Typhoon Precedent
In December 2024, Chinese state-sponsored threat group Silk Typhoon (also known as Hafnium) exploited two BeyondTrust zero-days -- CVE-2024-12356 and CVE-2024-12686 -- to compromise BeyondTrust's own Remote Support SaaS instances. The attackers used a stolen API key to access customer environments.
One of those customers was the U.S. Treasury Department. In a letter to the Senate Committee on Banking, Housing, and Urban Affairs, the Treasury disclosed that on December 8, 2024, BeyondTrust notified them that a threat actor had gained access to a key used to secure a cloud-based service providing remote technical support to Treasury employees.
The breach was severe. According to reporting by Bleeping Computer and Bloomberg, Silk Typhoon specifically targeted the Office of Foreign Assets Control (OFAC), which administers U.S. sanctions programs, and the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks. Bloomberg reported the attackers compromised at least 400 computers and stole over 3,000 files, including policy documents, organizational charts, and data marked as law enforcement sensitive.
Rapid7's subsequent research revealed that exploiting CVE-2024-12356 actually required chaining it with a then-unknown SQL injection vulnerability in an underlying PostgreSQL tool, later assigned CVE-2025-1094. CISA added CVE-2024-12356 to its KEV catalog on December 19, 2024, and issued an emergency directive.
This history is directly relevant to CVE-2026-1731 because the new vulnerability sits in the same code area. GreyNoise documented an active timeline showing this continuity: in December 2024, Silk Typhoon breached the Treasury via the WebSocket endpoint; in January 2026, GreyNoise sensors caught a malicious IP on a Polish hosting provider replaying the exact Treasury breach exploit chain (CVE-2024-12356 plus CVE-2025-1094 SQL injection), still targeting the /nw WebSocket path on port 443; then in February 2026, the new variant CVE-2026-1731 was disclosed and exploitation began within days.
The old exploit chain was still being used when the new vulnerability was discovered. That overlap is worth understanding: BeyondTrust's remote access infrastructure is under sustained, ongoing attention from sophisticated threat actors.
The Disclosure and Patch Timeline
January 31: Hacktron AI discovers CVE-2026-1731 and begins responsible disclosure to BeyondTrust.
February 2: BeyondTrust automatically patches all Remote Support SaaS and Privileged Remote Access SaaS customers. Cloud customers require no further action.
February 6: BeyondTrust publishes security advisory BT26-02 and the CVE. Email notifications go to all active self-hosted customers who have not already patched.
February 9: Help Net Security reports on the flaw, noting that while there was no indication of active exploitation at that point, skilled attackers may quickly reverse-engineer the patch and devise an exploit. Hacktron AI confirms they are withholding technical details to allow time for patching.
February 10: A proof-of-concept exploit is published on GitHub by security researcher win3zz. BeyondTrust observes the first exploitation attempt the same day and sends a second round of email notifications to unpatched self-hosted customers.
February 11: GreyNoise's Global Observation Grid begins recording reconnaissance probing for vulnerable BeyondTrust instances. Ryan Dewhurst, head of threat intelligence at watchTowr, posts on X that they observed the first in-the-wild exploitation overnight across their global sensors, noting that attackers are using the get_portal_info endpoint to extract company values before establishing WebSocket channels. Defused Cyber independently confirms exploitation attempts.
February 12: GreyNoise publishes a detailed analysis of reconnaissance patterns. Glenn Thorpe authors the GreyNoise blog post documenting the scanning infrastructure, JA4+ fingerprint analysis, and multi-exploit actor profiles.
February 13: CISA adds CVE-2026-1731 to the Known Exploited Vulnerabilities catalog, requiring federal agencies to apply fixes by February 16 -- a three-day remediation window that reflects how urgent the situation has become. Arctic Wolf publishes a threat advisory confirming active compromises with post-exploitation activity already observed. Andres Ramos at Arctic Wolf details the specific tactics, techniques, and procedures seen in affected environments.
February 14: BeyondTrust's advisory is updated to confirm they are aware of and supporting a limited number of self-hosted customers responding to active exploitation attempts.
What the Reconnaissance Looks Like
GreyNoise's sensor network provided detailed visibility into how attackers began mapping targets. Several patterns stood out from their analysis.
A single IP accounted for 86 percent of all observed reconnaissance sessions. GreyNoise identified it as being associated with a commercial VPN service hosted by a provider in Frankfurt. Importantly, this is not a new actor -- GreyNoise noted it has been an active scanner in their data since 2023, describing it as an established scanning operation that rapidly added CVE-2026-1731 checks to its toolkit.
The scanning targeted non-standard ports, not the expected HTTPS port 443 that default BeyondTrust deployments use. GreyNoise assessed that the attackers likely know enterprises often move BeyondTrust to non-default ports for obscurity, and their scanning reflected that awareness.
JA4+ fingerprint analysis revealed technical details about the scanning infrastructure. Every session showed Linux stack characteristics at the TCP layer. The dominant scanner's TCP fingerprint had an MSS (Maximum Segment Size) of 1358 versus the standard 1460, which independently confirmed VPN tunnel encapsulation. GreyNoise identified two distinct exploit tools in use: a lightweight 5-header tool shared by the top five IPs, and a 7-header variant used by ten different single-session scanners. Neither tool matched any known application in the JA4 fingerprint database.
The scanning IPs were not single-purpose. GreyNoise observed the same actors simultaneously conducting exploitation attempts against SonicWall, MOVEit Transfer, Log4j, Sophos firewalls, SSH brute-forcing, and IoT default-credential testing. Some were using out-of-band callback domains (OAST) to confirm exploitability before delivering payloads -- a technique GreyNoise also observed in the concurrent Ivanti EPMM exploitation campaign.
What the Active Exploitation Looks Like
Arctic Wolf's advisory, published February 13, moved the picture from reconnaissance to confirmed compromise. In their observations across affected environments, all compromised systems were running BeyondTrust versions affected by CVE-2026-1731.
The attack chain they documented proceeded through three phases.
For persistence, renamed SimpleHelp RMM (remote monitoring and management) binaries were created through Bomgar processes -- the legacy name for BeyondTrust hardware appliances -- using the SYSTEM account. The executables were saved to the ProgramData root directory. Arctic Wolf identified the binaries through their PE metadata, which contained the file description "SimpleHelp Remote Access Client." In addition, domain accounts were created using net user commands and immediately added to both Enterprise Admins and Domain Admins groups.
For discovery, Arctic Wolf observed AdsiSearcher being used to enumerate Active Directory computer inventory. Additional reconnaissance commands -- net share, ipconfig /all, systeminfo, and ver -- were executed through SimpleHelp processes.
For lateral movement, PSexec was used to push SimpleHelp installations across multiple devices in the environment. Arctic Wolf also observed Impacket SMBv2 session setup requests early in the attack chain.
The choice of SimpleHelp is notable. It is a legitimate remote management tool that blends in with normal administrative activity, making detection more difficult. The attackers are deploying a second layer of remote access on top of the already-compromised BeyondTrust infrastructure, establishing redundant persistence that survives even if the initial BeyondTrust vulnerability is patched.
The Exposure Picture
Hacktron AI's assessment identified approximately 11,000 BeyondTrust Remote Support instances exposed to the internet across both cloud and on-premises deployments. Of those, roughly 8,500 are on-premises systems that require manual patching.
BeyondTrust automatically patched all SaaS customers on February 2, four days before the public advisory. That means cloud customers were protected before most people knew the vulnerability existed. The gap is in self-hosted environments, where customers must apply patches through their /appliance interface or upgrade to fixed versions (RS 25.3.2 or PRA 25.1.1 and later).
Organizations running Remote Support versions older than 21.3 or PRA versions older than 22.1 face an additional challenge: they must first upgrade to a supported version before the security patch can be applied. That upgrade requirement introduces delay in environments where change management is already slow.
BeyondTrust's updated advisory confirmed they are actively supporting a limited number of customers responding to exploitation. They did not provide a count of unpatched instances or answer whether additional customers had reported attempted exploitation, as noted by The Stack in their reporting.
What Defenders Should Do
Patch immediately. Self-hosted Remote Support instances should apply Patch BT26-02-RS (covers versions 21.3 through 25.3.1). Self-hosted PRA instances should apply Patch BT26-02-PRA (covers versions 22.1 through 24.X) or upgrade to version 25.1.1 or later. Cloud customers are already patched and require no action.
Investigate for compromise if you were exposed. If your BeyondTrust instance was accessible from the internet between February 6 (public disclosure) and your patch date, or especially between February 10 (PoC release) and patching, assume scanning occurred and investigate accordingly.
Based on Arctic Wolf's observations, look for the following indicators: unexpected SimpleHelp binaries in ProgramData directories, particularly executables with PE metadata referencing "SimpleHelp Remote Access Client." Review processes spawned by Bomgar/BeyondTrust services that create new executables. Check for recently created domain accounts, especially any added to Enterprise Admins or Domain Admins groups via net user and net group commands. Look for AdsiSearcher queries against Active Directory, which indicate enumeration of your environment. Review logs for PSexec activity and Impacket SMBv2 session setup requests, both of which indicate lateral movement.
Review your architecture. BeyondTrust's Remote Support and PRA products manage privileged access to enterprise networks. Their compromise provides a direct path into the most sensitive systems in an environment. If these tools are exposed directly to the internet without additional access controls, evaluate whether VPN, zero-trust network access, or IP allowlisting can reduce the attack surface. The scanning GreyNoise observed was probing non-standard ports, so moving to a non-default port alone is not sufficient mitigation.
Monitor the prior exploit chain too. GreyNoise documented that the CVE-2024-12356 plus CVE-2025-1094 chain used in the Treasury breach was still being actively replayed as recently as January 2026. Organizations running older versions that may have been exposed to this earlier chain should investigate retroactively, not just for CVE-2026-1731.
Track the CISA KEV deadline. Federal civilian agencies must apply the fix by February 16, 2026. Even for non-federal organizations, the three-day remediation window CISA assigned reflects their assessment of the threat level.
The Broader Pattern
CVE-2026-1731 fits a pattern that has become increasingly familiar: a critical vulnerability in network-edge infrastructure that manages privileged access, discovered through variant analysis of a previously exploited flaw, weaponized within days of public disclosure, and exploited against environments where patch cycles could not keep pace with attacker timelines.
BeyondTrust's handling of this disclosure was notably responsive. SaaS customers were patched before the advisory was public, self-hosted customers received multiple rounds of direct notification, and the vendor has been actively supporting affected organizations. Hacktron AI's decision to withhold technical details bought additional time. But the appearance of a PoC on February 10 collapsed the remaining window.
The use of AI-enabled variant analysis to discover CVE-2026-1731 is itself a signal. Hacktron AI described their approach as identifying vulnerability classes and variants across enterprise software at scale. If AI tooling can find variants of known vulnerabilities faster than vendors can proactively audit their own code, the discovery rate for this class of flaw is going to accelerate. Defenders should expect similar variant discoveries in other products with histories of exploitation.
The GreyNoise observation that the Treasury breach exploit chain was still being replayed in January 2026 -- over a year after the original vulnerability was patched -- is a reminder that patching closes one door but does not account for all the actors who walked through it while it was open. For organizations running BeyondTrust products, the question is not just whether CVE-2026-1731 is patched, but whether the environment was compromised at any point during the window of exposure for this flaw or its predecessors.
Patch the vulnerability. Investigate retroactively. And take a hard look at whether privileged access infrastructure should be directly reachable from the open internet.