Researchers warn that a critical vulnerability patched this week in BeyondTrust Remote Support is being exploited in the wild to compromise self-hosted deployments, including Bomgar remote support appliances, which included affected versions of the impacted software.
Bomgar, a provider of privileged identity and access management products, acquired BeyondTrust in 2018, adopting the latter’s brand name. Bomgar on-premises hardware appliances, known as BeyondTrust B-series appliances, provide secure remote access to enterprise networks, but many hardware models have reached end of life, with customers encouraged to upgrade to either the virtual appliance or BeyondTrust’s SaaS offerings: Privileged Remote Access (Cloud) and Remote Support (Cloud).
Researchers from security firm Arctic Wolf have detected attacks that compromised Bomgar appliances through the CVE-2026-1731 flaw patched this week. The attackers attempted to then deploy the SimpleHelp remote management and monitoring (RMM) tool and perform lateral movement to other systems on the network.
“Renamed SimpleHelp binaries were created through Bomgar processes using the SYSTEM account,” the researchers said in a report today. “These executables were saved to the ProgramData root directory and executed from there. Binary names include remote access.exe and others.”
The attackers also managed to create domain accounts using the net user command and then added them to administrative groups such as “enterprise admins” or “domain admins.”
The AdsiSearcher tool was used to search the Active Directory environment for other computers and PSexec was used to install SimpleHelp on multiple devices.
The researchers also observed Impacket SMBv2 session setup requests in affected environments. Impacket is a Python library that can be used to decode network traffic and is often used in conjunction with sniffing tools.
CVE-2026-1731 is a critical pre-authentication command injection vulnerability that impacts BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The company released patches for multiple versions of the impacted software, but older versions of RS need to be updated first before the patch can be applied, which could be a problem for appliances that are no longer supported and have reached end of life.
A proof-of-concept exploit was published on GitHub so it’s not surprising that attacks followed soon after. As a remote access solution, BeyondTrust RS is an attractive target for both state-sponsored attackers and ransomware groups. The US Department of the Treasury had some of its workstations compromised after hackers exploited vulnerabilities in SaaS instances of BeyondTrust RS.