Update: Arctic Wolf Observes Threat Campaign Targeting BeyondTrust Remote Support Following CVE-2026-1731 PoC Availability

Summary

Arctic Wolf reports an in-the-wild threat campaign abusing a publicly available proof-of-concept for CVE-2026-1731 to target BeyondTrust Remote Support and Privileged Remote Access deployments. The flaw enables unauthenticated OS command injection on affected systems. Activity observed so far appears focused on opportunistic exploitation of exposed remote-support infrastructure following PoC release.

Investigation

The investigation linked suspicious behavior to exploitation attempts against self-hosted BeyondTrust Remote Support instances vulnerable to CVE-2026-1731. Arctic Wolf noted network patterns and command-execution telemetry consistent with PoC-style exploitation. The reporting did not disclose additional dropped malware or follow-on payload artifacts associated with the activity.

Mitigation

Apply vendor patches for CVE-2026-1731 immediately and reduce exposure by limiting network access to BeyondTrust Remote Support services to trusted admin networks only. Increase monitoring for unexpected command execution and abnormal remote-session behavior, especially on internet-facing appliances and management interfaces.

Response

If exploitation is suspected, isolate the affected host, confirm patch level, and perform forensic scoping for evidence of OS command execution. Rotate potentially exposed credentials and review remote-access logs for unauthorized sessions, suspicious operator actions, and anomalous administrative activity.