All news with #beyondtrust tag

🔒 BeyondTrust researchers demonstrated that the Sandbox mode in AWS Bedrock AgentCore Code Interpreter permits outbound DNS A/AAAA queries that can be abused to create a bidirectional covert channel. By encoding data in DNS requests and responses they showed both data exfiltration and an interactive reverse shell without triggering network restrictions. AWS reproduced the report but characterized the behavior as intended and updated documentation rather than issuing a patch.

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.

🔒 Palo Alto Networks Unit 42 reports active exploitation of a critical sanitization bug in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE-2026-1731 (CVSS 9.9), that allows OS command execution via the thin-scc-wrapper WebSocket interface. Threat actors have used the flaw for reconnaissance, deploying web shells and backdoors (including VShell and Spark RAT), lateral movement, and data theft. Multiple sectors across several countries are affected, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.

🚨 On Feb. 6, 2026, BeyondTrust published an advisory for CVE-2026-1731, a critical pre-auth remote code execution vulnerability affecting BeyondTrust Remote Support and some Privileged Remote Access deployments. The flaw allows unauthenticated attackers to inject shell commands via the WebSocket remoteVersion field during the handshake, resulting in OS command execution as the site user. Unit 42 observed active exploitation that included web shells, C2 traffic, account tampering and data theft. Immediate patching for self-hosted appliances and engagement of incident response if compromise is suspected are recommended.

🔒 This weekly recap shows how small, trusted gaps are becoming major entry points — from a hijacked Outlook add-in (AgreeTo) turned into a phishing kit that stole over 4,000 Microsoft credentials to multiple actively exploited zero-days in Chrome and Apple platforms. It also covers a critical BeyondTrust RCE under active exploitation, new Linux botnet activity abusing SSH, and cloud-focused campaigns targeting exposed Docker, Kubernetes, and Redis instances. Attackers are combining legacy techniques, cloud misconfigurations, and AI assistance to scale access and persistence.

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.

🔒 Researchers warn a critical pre-authentication command injection (CVE-2026-1731) in BeyondTrust Remote Support is being actively exploited to compromise self-hosted deployments, including legacy Bomgar B-series appliances. Attackers have deployed renamed SimpleHelp binaries, created domain accounts and escalated privileges to perform lateral movement. Patches are available, but end-of-life appliances and required version upgrades complicate remediation while a public proof-of-concept has accelerated exploitation.

⚠️ CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation of an OS command injection vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA emphasizes that command injection flaws are a frequent and dangerous attack vector that pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due date; CISA strongly urges all organizations to prioritize timely remediation and integrate these fixes into their vulnerability management processes.

🔴 watchTowr reported the first in-the-wild exploitation of a critical BeyondTrust vulnerability, CVE-2026-1731, with attackers abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. The flaw (CVSS 9.9) allows unauthenticated remote code execution by sending specially crafted requests and has been patched in Remote Support (BT26-02-RS, 25.3.2+) and Privileged Remote Access (BT26-02-PRA, 25.1.1+). The rapid weaponization highlights how quickly defenders must patch critical systems. CISA also added four actively exploited flaws to its KEV catalog and set federal remediation deadlines in February and March 2026.

🚨 A critical pre-authentication remote code execution vulnerability, CVE-2026-1731, in BeyondTrust Remote Support and Privileged Remote Access appliances is being actively exploited after a proof-of-concept was published. The flaw affects Remote Support ≤25.3.1 and Privileged Remote Access ≤24.3.4 and allows unauthenticated attackers to execute OS commands as the site user. BeyondTrust automatically patched SaaS instances on Feb 2, 2026; on-premises customers must install vendor updates immediately.

🔒 BeyondTrust has released emergency patches to address a critical unauthenticated remote code execution vulnerability in self-hosted instances of Remote Support and Privileged Remote Access. Tracked as CVE-2026-1731 and discovered in January by Hacktron AI, the flaw is rated 9.9/10. BeyondTrust published Patch BT26-02-RS for RS 21.3–25.3.1 and Patch BT26-02-PRA for PRA 22.1–24.x; PRA 25.1+ are not affected and SaaS tenants were patched server-side. Around 11,000 RS instances are internet-exposed, roughly 8,500 of which are on-premises and need immediate patching.

⚠️BeyondTrust has issued an urgent advisory for a critical pre-authentication remote code execution vulnerability tracked as CVE-2026-1731 affecting Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4). The flaw is an OS command injection discovered by Harsh Jaiswal and the Hacktron AI team and can be exploited by unauthenticated attackers without user interaction. BeyondTrust says cloud systems were secured by February 2, 2026 and advises on‑premises customers to upgrade to RS 25.3.2 or PRA 25.1.1 immediately.

🔒 BeyondTrust has released updates to address a critical pre-authentication remote code execution vulnerability affecting Remote Support and older Privileged Remote Access versions. The flaw, tracked as CVE-2026-1731, is an operating-system command injection rated 9.9 on the CVSS scale and allows unauthenticated attackers to execute OS commands in the context of the site user. Patches (BT26-02-RS and BT26-02-PRA) or upgrades to the fixed releases should be applied immediately, and self-hosted customers without automatic updates must apply the fix manually.

🔒 BeyondTrust's 2026 predictions argue that the next major breaches will stem from unmanaged identity debt rather than simple phishing. The report highlights three identity-driven threats: agentic AI acting as privileged deputies vulnerable to prompt manipulation, automated "account poisoning" in financial systems, and long-dormant "ghost" identities surfacing in legacy IAM. The authors recommend an identity-first posture with strict least-privilege, context-aware controls, real-time auditing, and stronger identity governance.