Attackers are actively exploiting CVE-2026-1731, a critical vulnerability in BeyondTrust's self-hosted systems that allows complete domain takeover without authentication. The flaw lets hackers execute operating system commands remotely through crafted HTTP requests, earning a devastating 9.8 CVSS score.
Threat actors are deploying SimpleHelp remote access tools and creating privileged domain accounts with Enterprise Admin rights. Arctic Wolf researchers found attackers using reconnaissance commands to map Active Directory networks before spreading across multiple hosts via PSExec and Impacket tools.
Cloud customers received automatic patches on February 2, 2026, but self-hosted users running Remote Support 25.3.1 or Privileged Remote Access 24.3.4 must manually apply updates immediately. CISA warns older versions need upgrades first before patching.
Source: Cybersecurity News