Hackers Swarm BeyondTrust Flaw Within Hours of Patch Drop – Patch Now or Panic
Attackers are hammering a fresh critical remote code execution bug in BeyondTrust Remote Support and Privileged Remote Access, dubbed CVE-2026-1731, right after Rapid7 dropped a proof-of-concept exploit on February 10. Just days later, reconnaissance exploded across the internet, with real exploits deploying tools like SimpleHelp for persistence.
This OS command injection hits the get_portal_info endpoint, letting unauthenticated baddies run arbitrary commands on exposed instances – it’s basically a remix of last year’s CVE-2024-12356 that Chinese hackers used to crack the US Treasury. BeyondTrust patched their SaaS setups on February 2 and screamed at on-prem users to update ASAP; firms like Arctic Wolf and Darktrace are spotting active attacks, including lateral movement and discovery scripts. GreyNoise clocked scans blasting from a single IP, smartly probing non-standard ports where paranoid admins hide their gear. Defused Cyber saw Nuclei-based exploits flying, but no wild variants yet.
Devs and ops folks, if you’re leaning on BeyondTrust for privileged access – and who isn’t in enterprise land? – this is your wake-up slap. Unpatched boxes are sitting ducks for command injection that could dump creds, pivot to your crown jewels, or drop ransomware payloads. It’s not theoretical; attacks kicked off within 24 hours of the PoC, proving script kiddies and pros alike are on it. Skip the patch, and you’re begging for a breach that nukes your sec posture overnight.
Assume breach if you dragged your feet – spin up logs, hunt for WebSocket abuse on that endpoint, and isolate anything fishy. BeyondTrust’s fix is out; apply it yesterday. In a world where zero-days turn into mass exploits overnight, staying current isn’t optional – it’s your firewall against the chaos.
