BeyondTrust CVE-2026-1731: When Your Privileged Access Tool Becomes the Breach

From The Bit Baker newsletter — February 14, 2026

There's a bitter irony at work here. A privileged access management tool — the kind organizations deploy specifically to control who gets access to what — is now the way attackers are getting in. CVE-2026-1731 is a CVSS 9.9 unauthenticated remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). No credentials. No user interaction. One crafted request and the attacker has OS command execution.

BeyondTrust disclosed it on February 6. SaaS instances were auto-patched four days earlier. On-prem customers got fixes the same day as disclosure. Then, on February 10, a proof-of-concept hit the public internet. Less than 24 hours later, Arctic Wolf and Darktrace were both watching live exploitation. CISA dropped it into the KEV catalog on February 13 with a February 16 deadline.

The gap between PoC and mass exploitation? Hours. Not days. Hours.

Why It Matters

The attack chain researchers observed is textbook — and fast. Attackers hit CVE-2026-1731 for initial access, then pivot straight to Active Directory enumeration using AdsiSearcher. Next comes SimpleHelp, a legitimate remote management tool, repurposed for persistent access. PSExec handles the lateral movement. Clean, methodical, and executed quickly enough that defenders barely have time to react.

But the real damage multiplier is the target itself. BeyondTrust RS and PRA aren't generic web apps. They're how hospitals, banks, and government agencies manage privileged access to their most sensitive systems. Crack one of those appliances and you don't just own a box — you own a master key to every system it administers.

Around 8,500 on-premises instances sit exposed on the internet right now, per Rapid7's estimate. SaaS customers are patched. But the organizations running self-hosted deployments — disproportionately the regulated industries where you'd most want strong PAM — those are the ones stuck doing manual updates. Attackers know this asymmetry and are exploiting it.

The Bigger Picture

BeyondTrust has been down this road before. GreyNoise found that an older exploit chain — a separate BeyondTrust RCE chained with PostgreSQL SQL injection, previously tied to the Silk Typhoon U.S. Treasury breach — is still in active use alongside CVE-2026-1731. Threat actors aren't swapping old exploits for new ones. They're running both at once.

And the reconnaissance pattern is revealing. GreyNoise traced 86% of CVE-2026-1731 scanning activity to a single VPN IP in Frankfurt. That's not opportunistic spray-and-pray. That's someone with a target list, systematically probing the internet for exposed BeyondTrust instances.

PAM tools have earned a spot on the same high-priority target list as VPN concentrators and edge firewalls. The math is simple: compromise one PAM device, inherit every access right it manages. That's a far better return than hacking endpoints one at a time. Horizon3.ai's technical analysis confirms the exploit is trivially simple — OS command injection, no chaining required. A single HTTP request does it.

What to Watch

• February 16 is two days away. Self-hosted BeyondTrust customers who haven't patched face both active exploitation and compliance exposure. Check advisory BT26-02 for the specific patched versions.
• Post-exploitation IOCs are well documented by Arctic Wolf and GreyNoise: SimpleHelp deployments, AdsiSearcher queries, PSExec lateral movement, unexpected outbound traffic from BeyondTrust appliances. If any of those show up, you're already dealing with more than a vulnerability.
• Your broader PAM exposure — don't stop at BeyondTrust. Inventory every internet-facing PAM and remote access tool in your environment. If threat actors are systematically going after this product category, the targeting won't stay confined to one vendor.

References

1. Rapid7 — CVE-2026-1731 Critical Unauthenticated RCE in BeyondTrust RS/PRA
2. Arctic Wolf — Threat Campaign Targeting BeyondTrust After PoC Release
3. The Hacker News — Researchers Observe In-Wild Exploitation of BeyondTrust RCE
4. GreyNoise — Reconnaissance Activity for BeyondTrust CVE-2026-1731
5. BeyondTrust Security Advisory BT26-02
6. Horizon3.ai — CVE-2026-1731 Attack Research
7. Darktrace — How Darktrace Sees the BeyondTrust Exploitation Wave
8. Security Affairs — Attackers Exploit BeyondTrust CVE-2026-1731 Within Hours