Researchers are sounding the alarm about a serious vulnerability that was patched this week in BeyondTrust Remote Support. This flaw is reportedly being actively exploited in the wild, targeting self-hosted deployments, including Bomgar remote support appliances that utilize affected software versions.
Bomgar, known for its privileged identity and access management products, acquired BeyondTrust in 2018 and adopted its brand name. The Bomgar on-premises hardware appliances, branded as BeyondTrust B-series appliances, offer secure remote access to enterprise networks. However, many of these hardware models have reached end of life, prompting customers to upgrade to either virtual appliances or BeyondTrust’s Software as a Service (SaaS) offerings: Privileged Remote Access (Cloud) and Remote Support (Cloud).
Researchers from Arctic Wolf have reported attacks that compromised Bomgar appliances through the CVE-2026-1731 vulnerability that was patched this week. The attackers aimed to deploy the SimpleHelp remote management and monitoring tool and carried out lateral movements to other systems within the network.
Details of the Exploitation
The researchers noted that “renamed SimpleHelp binaries were created through Bomgar processes using the SYSTEM account.” These executables were saved in the ProgramData root directory and executed from there. Names of the binaries included remote access.exe among others.
Additionally, the attackers were able to create domain accounts by using the net user command, subsequently adding these accounts to administrative groups such as “enterprise admins” and “domain admins.”
To further their infiltration, the attackers employed the AdsiSearcher tool to probe the Active Directory for other computers and used PSexec to install SimpleHelp on multiple devices.
Vulnerability Overview
The researchers also identified Impacket SMBv2 session setup requests in the compromised environments. Impacket is a Python library commonly used to decode network traffic, often in tandem with sniffing tools.
CVE-2026-1731 is classified as a critical pre-authentication command injection vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). Although the company has released patches for various versions of the affected software, applying these patches requires that older versions of RS be updated first, which may pose challenges for appliances that are no longer supported and have reached end of life.
A proof-of-concept exploit was made available on GitHub, which likely accelerated the subsequent attacks. As a remote access solution, BeyondTrust RS presents an appealing target for state-sponsored attackers and ransomware groups. Notably, the US Department of the Treasury experienced compromises to some of its workstations after hackers exploited vulnerabilities in its SaaS instances of BeyondTrust RS.
