Ethical Hacking News
Cybersecurity experts have sounded the alarm on a critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, which has been exploited in-the-wild by threat actors. The vulnerability, identified as CVE-2026-1731, carries an extremely high CVSS score of 9.9, indicating that it is considered a severe security risk. Organizations must prioritize their security posture and apply timely patches to prevent further exploitation of this critical flaw.
Cybersecurity experts have identified a critical security flaw (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access products. The vulnerability carries an extremely high CVSS score of 9.9, indicating it's a severe security risk. Threat actors have exploited this flaw in-the-wild before patches were available, highlighting the need for timely patching. The incident demonstrates the importance of supply chain security and the risks associated with using RMM tools without proper security controls. Federal agencies are advised to address CVE-2026-1731 by February 16, 2026, or risk further exploitation.
Cybersecurity experts have sounded the alarm on a critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, which has been exploited in-the-wild by threat actors. The vulnerability, identified as CVE-2026-1731, carries an extremely high CVSS score of 9.9, indicating that it is considered a severe security risk.
Researchers at watchTowr have reported observing the first in-the-wild exploitation of BeyondTrust across their global sensors. According to Ryan Dewhurst, head of threat intelligence at watchTowr, attackers are abusing the get_portal_info API to extract sensitive information before establishing a WebSocket channel. This allows them to launch a remote code execution attack on vulnerable systems.
The vulnerability was recently disclosed by Microsoft, and subsequent versions of BeyondTrust have been patched. However, it appears that threat actors were able to exploit this flaw in-the-wild before the patches became available. The swift exploitation of this vulnerability highlights the urgent need for organizations to prioritize their security posture and ensure they are applying timely patches.
The use of CVE-2026-1731 demonstrates how quickly threat actors can weaponize new vulnerabilities, significantly shrinking the window for defenders to patch critical systems. This is particularly concerning given that BeyondTrust products are commonly used in remote work environments, where security vulnerabilities can be exploited with devastating consequences.
Furthermore, the exploitation of this vulnerability by threat actors highlights the importance of supply chain security. The fact that attackers were able to abuse a legitimate update mechanism relied upon specifically by developers and administrators suggests that there may have been weaknesses in the Notepad++ update pipeline. This incident underscores the need for organizations to implement robust security controls and monitoring mechanisms to detect such vulnerabilities.
Arctic Wolf has detected attacks that target Remote Support and Privileged Remote Access deployments through CVE-2026-1731, attempting to deploy the SimpleHelp remote management and monitoring (RMM) tool for persistence and perform lateral movement to other systems on the network. This highlights the potential risks associated with using RMM tools in environments where security controls are not properly implemented.
In light of this incident, Federal Civilian Executive Branch (FCEB) agencies have been advised to address CVE-2025-40536, and till March 5, 2026, to fix the remaining three vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fix by February 16, 2026.
In conclusion, the exploitation of the BeyondTrust CVSS 9.9 vulnerability highlights the urgent need for organizations to prioritize their security posture and ensure they are applying timely patches. The incident underscores the importance of supply chain security, and the potential risks associated with using RMM tools in environments where security controls are not properly implemented.
Related Information:
https://www.ethicalhackingnews.com/articles/BeyondTrust-CVSS-99-Vulnerability-A-Critical-Security-Flaw-Exploited-In-the-Wild-ehn.shtml
https://thehackernews.com/2026/02/researchers-observe-in-wild.html
https://nvd.nist.gov/vuln/detail/CVE-2025-40536
https://www.cvedetails.com/cve/CVE-2025-40536/
https://nvd.nist.gov/vuln/detail/CVE-2026-1731
https://www.cvedetails.com/cve/CVE-2026-1731/
Published: Wed Feb 18 16:12:51 2026 by llama3.2 3B Q4_K_M
