Critical Security Flaw in BeyondTrust Products is Already Being Actively Exploited! It's a chilling reminder that as soon as a vulnerability is revealed, malicious actors are ready to pounce. Threat intelligence firm watchTowr has reported observing the first real-world attacks leveraging a severe security weakness in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products. This isn't a theoretical threat; it's happening now.
Ryan Dewhurst, head of threat intelligence at watchTowr, shared the alarming news, stating, "Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors." He further elaborated on the attackers' method: "Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel." This technical detail highlights how attackers are precisely targeting specific pieces of information to gain a foothold.
The vulnerability in question, identified as CVE-2026-1731, carries a CVSS score of 9.9, placing it in the critical severity category. This means it's incredibly dangerous and can be exploited by an unauthenticated attacker to achieve remote code execution by simply sending specially crafted requests. Think of it like sending a specially designed letter that, when opened, automatically runs a malicious program on the recipient's computer without them even knowing!
BeyondTrust themselves confirmed the severity, noting that successful exploitation could allow an attacker to execute operating system commands as if they were the legitimate site user. The consequences? Unauthorized access, data exfiltration (stealing sensitive information), and service disruption (making systems unusable).
But here's where it gets critical for businesses: This vulnerability has already been patched! BeyondTrust has released fixes in the following versions:
- Remote Support: Patch BT26-02-RS, version 25.3.2 and later
- Privileged Remote Access: Patch BT26-02-PRA, version 25.1.1 and later
The rapid exploitation of CVE-2026-1731 serves as a stark illustration of how swiftly threat actors can weaponize newly discovered vulnerabilities. This significantly reduces the precious window of time organizations have to secure their systems before they become targets. It’s a race against time, and unfortunately, the attackers are often faster.
CISA Adds Four Flaws to Its 'Known Exploited Vulnerabilities' Catalog
Adding to the urgency, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This means CISA has concrete evidence that these flaws are being actively exploited in the wild, and federal agencies have deadlines to address them.
Let's break down these newly added vulnerabilities:
CVE-2026-20700 (CVSS score: 7.8): This flaw affects Apple's operating systems (iOS, macOS, tvOS, watchOS, and visionOS). It's a memory buffer vulnerability that could allow an attacker with the ability to write to memory to execute arbitrary code. Imagine a leaky pipe in your house; this is like an attacker being able to control where that leak goes and what it damages.
CVE-2025-15556 (CVSS score: 7.7): Found in Notepad++, this vulnerability involves a download of code without an integrity check. Attackers could intercept or redirect update traffic, tricking users into downloading and running an attacker-controlled installer. This could lead to them executing code with the same privileges as the user running Notepad++. It's like a trusted delivery person swapping out your package for a dangerous one.
CVE-2025-40536 (CVSS score: 8.1): This is a security control bypass vulnerability in SolarWinds Web Help Desk. It could allow an unauthenticated attacker to access restricted functionalities, essentially letting them walk through a locked door.
CVE-2024-43468 (CVSS score: 9.8): An SQL injection vulnerability in Microsoft Configuration Manager. This critical flaw allows an unauthenticated attacker to execute commands on the server or its database by sending specially crafted requests. This is a classic example of attackers manipulating data inputs to gain control.
And this is the part most people miss: CVE-2024-43468 was actually patched by Microsoft back in October 2024! It's quite concerning that it's still being exploited. It's unclear how it's being used in current attacks, who the attackers are, or the extent of these operations.
This addition to the KEV catalog follows a recent Microsoft report detailing a multi-stage intrusion where attackers exploited internet-exposed SolarWinds Web Help Desk instances. However, Microsoft couldn't confirm if CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399 were involved, as the attacks occurred in December 2025 and on systems vulnerable to both older and newer flaws.
Regarding CVE-2026-20700 (the Apple vulnerability), Apple has acknowledged that it might have been used in a highly sophisticated attack targeting specific individuals on older iOS versions, possibly to deliver commercial spyware. This highlights how even seemingly minor flaws can be part of advanced, targeted campaigns.
As for CVE-2025-15556 (the Notepad++ flaw), security researchers at Rapid7 attribute its exploitation to a China-linked state-sponsored threat actor known as Lotus Blossom (also referred to by several other aliases like Billbug, Bronze Elgin, and Raspberry Typhoon). This group has been active since at least 2009. The attacks involved a backdoor called Chrysalis and a supply chain compromise of the Notepad++ update pipeline, which reportedly lasted for nearly five months between June and October 2025.
The DomainTools Investigations (DTI) team described this incident as a "quiet, methodical intrusion," suggesting a covert intelligence-gathering mission focused on minimizing detection. They characterized the threat actor as someone who prefers long dwell times and multi-year campaigns. A particularly clever aspect of this campaign was that the attackers didn't tamper with the Notepad++ source code itself. Instead, they used trojanized installers to deliver their malicious payloads, effectively bypassing source-code reviews and integrity checks, allowing them to remain undetected for extended periods.
As DTI noted, "From their foothold inside the update infrastructure, the attackers did not indiscriminately push malicious code to the global Notepad++ user base. Instead, they exercised restraint, selectively diverting update traffic for a narrow set of targets, organizations, and individuals whose positions, access, or technical roles made them strategically valuable." They essentially turned a trusted update mechanism into a clandestine entry point for high-value access, demonstrating a sophisticated and subtle approach to intelligence gathering.
Deadlines for Federal Agencies:
In response to these active exploits, Federal Civilian Executive Branch (FCEB) agencies have strict deadlines to remediate these vulnerabilities:
- Until February 15, 2026, to address CVE-2025-40536.
- Until March 5, 2026, to fix the remaining three vulnerabilities (CVE-2026-20700, CVE-2025-15556, and CVE-2024-43468).
Now, let's talk about what this means for you. The fact that a CVSS 9.9 vulnerability is being exploited so quickly after disclosure is a wake-up call for all organizations, not just federal agencies. Are your systems adequately protected against these rapidly evolving threats? And considering the sophistication of attacks like the Lotus Blossom campaign, where attackers subtly compromise update mechanisms, how confident are you in the integrity of your software supply chain?
What are your thoughts on the speed at which these vulnerabilities are being weaponized? Do you believe current patching strategies are sufficient, or do we need a more proactive approach? Share your opinions in the comments below – I'd love to hear your perspective!
