According to watchTowr, threat actors have begun exploiting recently revealed critical security flaws affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products.
“Overnight, we observed the first real-world exploitation of BeyondTrust across our global sensors,” Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. “The attacker is abusing get_portal_info to extract the x-ns-company value before establishing the WebSocket channel.”
The vulnerability in question, CVE-2026-1731 (CVS score: 9.9), could allow an unauthenticated attacker to execute remote code by sending a specially crafted request.
BeyondTrust noted last week that successful exploitation of this flaw could allow an unauthenticated, remote attacker to execute operating system commands in the context of a site user, potentially resulting in unauthorized access, data disclosure, or service interruption.
The following versions have been patched:
Remote Support – Patch BT26-02-RS, 25.3.2 or later Privileged Remote Access – Patch BT26-02-PRA, 25.1.1 or later
The use of CVE-2026-1731 illustrates how attackers can quickly weaponize new vulnerabilities, significantly reducing the time defenders have to patch critical systems.
CISA adds 4 defects to KEV catalog
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Here is the list of vulnerabilities:
CVE-2026-20700 (CVSS Score: 7.8) – Improper restriction of operations within a memory buffer vulnerability in Apple iOS, macOS, tvOS, watchOS, and visionOS could allow an attacker with memory write capabilities to execute arbitrary code. CVE-2025-15556 (CVSS Score: 7.7) – Downloading code without an integrity check vulnerability in Notepad++ could allow an attacker to intercept or redirect update traffic and download and execute an attacker-controlled installer, potentially resulting in arbitrary code execution with the user’s privileges. CVE-2025-40536 (CVSS Score: 8.1) – A security control bypass vulnerability in SolarWinds Web Help Desk could allow an unauthenticated attacker to access certain restricted functionality. CVE-2024-43468 (CVSS Score: 9.8) – A SQL injection vulnerability in Microsoft Configuration Manager could allow an unauthenticated attacker to execute commands on the server or underlying database by sending a specially crafted request.
It is worth noting that CVE-2024-43468 was patched by Microsoft in October 2024 as part of the Patch Tuesday update. It is currently unknown how this vulnerability is being exploited in actual attacks. There is also no information about the identity of the attackers exploiting the flaw or the scale of such efforts.
The addition of CVE-2024-43468 to the KEV catalog follows Microsoft’s recent reporting of a multi-stage intrusion in which attackers exploiting Internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access and move laterally across an organization’s network to other high-value assets.
However, the Windows maker said it is not clear whether the attack exploited CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399, as the attack occurred in December 2025 and occurred on machines vulnerable to both old and new vulnerability sets.
Regarding CVE-2026-20700, Apple has acknowledged that this flaw could be exploited in very sophisticated attacks against specific targets on versions of iOS prior to iOS 26, raising the possibility that it could be exploited to distribute commercial spyware. The issue was fixed by the tech giant earlier this week.
Finally, the exploitation of CVE-2025-15556 has been attributed by Rapid7 to a state-sponsored threat actor associated with China known as Lotus Blossom (also known as Billbug, Bronze Elgin, G0030, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip). It is known to have been active since at least 2009.
This targeted attack was found to deliver a previously undocumented backdoor called Chrysalis. Although the supply chain attack was completely stopped on December 2, 2025, it is estimated that the Notepad++ update pipeline was compromised over a period of nearly five months, from June to October 2025.
The DomainTools Investigations (DTI) team described the incident as a precise and “quiet, coordinated intrusion”, indicative of a covert intelligence-gathering mission designed to keep operational noise as low as possible. This threat actor was also characterized by a tendency for long dwell times and multi-year campaigns.
A key aspect of this campaign is that the Notepad++ source code was left intact and instead relied on a trojanized installer to deliver the malicious payload. This allows attackers to bypass source code reviews and integrity checks, effectively allowing attacks to go undetected for long periods of time, DTI added.
“The attackers did not indiscriminately push malicious code to the global Notepad++ user base from a foothold within the update infrastructure.” “Instead, they activated throttling and selectively diverted update traffic to a limited number of targets, organizations, and individuals who were strategically valuable due to their position, access, or technical role.”
“By exploiting the legitimate update mechanisms utilized by developers and administrators in particular, they have turned routine maintenance into a covert entry point for high-value access. This campaign reflects continuity of purpose, continued focus on regional strategic intelligence, and is executed in a manner that is more sophisticated, more subtle, and harder to detect than previous iterations.”
Given the active exploitation of these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies must address CVE-2025-40536 by February 15, 2026, and fix the remaining three by March 5, 2026.
Source link
