remote access.exe and others.”The attackers also managed to create domain accounts using the net user command and then added them to administrative groups such as “enterprise admins” or “domain admins.”The AdsiSearcher tool was used to search the Active Directory environment for other computers and PSexec was used to install SimpleHelp on multiple devices.The researchers also observed Impacket SMBv2 session setup requests in affected environments. Impacket is a Python library that can be used to decode network traffic and is often used in conjunction with sniffing tools.CVE-2026-1731 is a critical pre-authentication command injection vulnerability that impacts BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The company released patches for multiple versions of the impacted software, but older versions of RS need to be updated first before the patch can be applied, which could be a problem for appliances that are no longer supported and have reached end of life.A proof-of-concept exploit was published on GitHub so it’s not surprising that attacks followed soon after. As a remote access solution, BeyondTrust RS is an attractive target for both state-sponsored attackers and ransomware groups. The US Department of the Treasury had some of its workstations compromised after hackers exploited vulnerabilities in SaaS instances of BeyondTrust RS.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4132368/critical-beyondtrust-rs-vulnerability-exploited-in-active-attacks.html
