Critical BeyondTrust RS vulnerability exploited in active attacks
Summary
A critical pre-authentication command injection vulnerability, CVE-2026-1731, in BeyondTrust Remote Support is being actively exploited in the wild. Attackers are compromising self-hosted deployments, including Bomgar appliances, to deploy remote management tools like SimpleHelp and perform lateral movement within the network.
IFF Assessment
Active exploitation of a critical vulnerability means defenders are under immediate threat.
Severity
Defender Context
Defenders need to patch BeyondTrust Remote Support and Privileged Remote Access deployments immediately. Monitor for unusual process execution, particularly involving SimpleHelp, and review account creation and group membership changes. This highlights the risk associated with legacy appliances and the importance of timely patching.