IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
International Women’s Day
392 opinions Read now

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Dim server room windows rack red warning remote access breach
#
Firewalls
#
Network Security
#
PAM

Active exploitation seen in BeyondTrust access flaw

Mon, 16th Feb 2026
Author image
By Karen Joy Bacudo, Finance Editor

Malicious activity linked to the exploitation of a critical vulnerability in BeyondTrust remote access products has been observed in live environments, according to new threat intelligence from Arctic Wolf.

The activity is tied to CVE-2026-1731, a flaw affecting self-hosted deployments of BeyondTrust Remote Support and Privileged Remote Access. The vulnerability allows unauthenticated attackers to execute operating system commands in the context of the site user through specially crafted requests. This level of access can give attackers broad control over affected systems.

Exploitation observed

Arctic Wolf said it has identified malicious activity in the wild consistent with suspected exploitation of CVE-2026-1731. The observed incidents were limited to self-hosted environments. In each case, the affected systems were running versions of BeyondTrust software that fall within the vulnerable range.

The company said it is sharing intelligence from these incidents to help organisations detect and defend against the campaign. The activity marks a shift from earlier assessments, when exploitation had not yet been confirmed.

Cloud distinction

BeyondTrust confirmed that customers using its cloud-hosted Remote Support and Privileged Remote Access services are not exposed. Cloud instances were patched automatically, and no further action is required from those customers.

The exposure remains concentrated among organisations operating self-hosted deployments. These customers must apply the relevant patches manually to remediate the vulnerability. Systems that remain unpatched continue to face the risk of unauthenticated command execution.

Detection coverage

Arctic Wolf said it has Managed Detection and Response detections in place that are designed to identify the activity observed in this campaign. The company said it will continue to notify customers as new instances of the threat are detected.

The availability of detections does not remove the need for patching. Security teams typically view detection as a secondary control, with remediation remaining the primary defence against exploitation.

Persistence methods

In affected environments, Arctic Wolf observed attackers attempting to establish persistence using the SimpleHelp remote monitoring and management tool. SimpleHelp binaries were created and executed via Bomgar processes running under the SYSTEM account.

The binaries were renamed to appear less suspicious and were written to the ProgramData root directory. File names included variations such as "remote access.exe". Despite the renaming, the binaries retained identifying metadata, including the file description "SimpleHelp Remote Access Client".

The use of legitimate remote access tools for persistence is a common tactic, allowing attackers to blend in with normal administrative activity.

Account creation

The attackers also created new domain accounts as part of their persistence and privilege escalation efforts. These accounts were added to high-privilege groups, including domain administrators and enterprise administrators.

The activity was carried out using standard Windows commands, which can make detection more challenging in environments where such commands are routinely used by administrators.

Discovery activity

Following initial access, the attackers performed discovery to understand the affected environments. Arctic Wolf observed the use of AdsiSearcher to enumerate Active Directory computer objects.

Additional discovery commands were executed via SimpleHelp processes. These included commands to list network shares, gather detailed network configuration information, and retrieve system and operating system details. This activity suggests an effort to map the environment before expanding access.

Lateral movement

The campaign also involved lateral movement across networks. Arctic Wolf observed the use of PSExec to deploy SimpleHelp across multiple devices within affected environments.

Impacket SMBv2 session setup requests were also seen early in some incidents. These techniques are commonly used to move between systems once administrative credentials have been obtained.

Patch guidance

Arctic Wolf strongly recommends that organisations apply the available fixes for CVE-2026-1731. Remote Support versions up to 25.3.1 require patch BT26-02-RS, while Privileged Remote Access versions up to 24.3.4 require patch BT26-02-PRA.

Organisations running self-hosted Remote Support versions earlier than 21.3 or Privileged Remote Access versions earlier than 22.1 must upgrade to a supported release before applying the patches. Versions of Privileged Remote Access from 25.1 onwards are not affected by this vulnerability.

BeyondTrust has already applied fixes to all cloud-hosted Remote Support and Privileged Remote Access instances.

Arctic Wolf advised organisations to follow their established patching and testing procedures to reduce the risk of operational disruption while addressing the vulnerability.

Related stories
From 398 to 200 Days: Understanding the TLS Certificate Lifespan Reduction
SailPoint & AWS ally on AI agent identity governance
Nutanix unveils Agentic AI stack for enterprise AI factories
Island brings secure AI-ready enterprise browser to ANZ
Everpure expands AI storage, adds Data Stream beta

Top stories

Spoofed AI agents flood websites, straining defences
Amazon leads concentrated global hyperscale market
NCS links agentic AI to NVIDIA stack for sovereign use
Okta unveils security blueprint for enterprise AI agents
Dell debuts Premium 14 & 16 laptops with Intel AI chips