Attackers are aggressively exploiting the critical vulnerability CVE‑2026‑1731 in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to expand its Known Exploited Vulnerabilities (KEV) catalog. At the same time, researchers are tracking sophisticated campaigns, including a supply chain attack on Notepad++ and targeted abuse of Microsoft, SolarWinds, and Apple iOS flaws.
What CVE‑2026‑1731 in BeyondTrust Is and How It Is Being Exploited
According to watchTowr, in‑the‑wild exploitation of CVE‑2026‑1731 began almost immediately after public disclosure. Adversaries abuse the get_portal_info function to extract the x-ns-company header and then establish a WebSocket channel as a foothold for further attack stages.
CVE‑2026‑1731 carries a CVSS score of 9.9 and enables an unauthenticated remote attacker to execute arbitrary code by sending specially crafted HTTP requests. BeyondTrust warns that successful exploitation allows execution of operating system commands under the website account, which can lead to unauthorized access, data exfiltration, and disruption of critical services.
Telemetry from GreyNoise and Defused Cyber shows that exploitation started within 24 hours of a proof‑of‑concept (PoC) exploit being published. Roughly 86% of reconnaissance traffic stems from a single IP address associated with a commercial VPN endpoint hosted in Frankfurt. This appears to be an existing mass‑scanning infrastructure that quickly integrated CVE‑2026‑1731 checks, rather than a newly formed threat group.
Affected BeyondTrust Products and CISA KEV Deadlines
The vulnerability impacts BeyondTrust Remote Support and BeyondTrust Privileged Remote Access. BeyondTrust has released security updates and stresses that current product versions are not affected. Organizations should immediately deploy the latest RS and PRA releases in line with the official BeyondTrust security advisory.
On 13 February 2026, CISA added CVE‑2026‑1731 to the Known Exploited Vulnerabilities (KEV) Catalog and mandated that U.S. Federal Civilian Executive Branch (FCEB) agencies apply patches by 16 February 2026. Inclusion in KEV signals that a vulnerability is both actively exploited and considered high‑priority for remediation across government and critical infrastructure.
CISA KEV Updates: Microsoft, SolarWinds WHD, and Apple iOS Zero‑Day
CISA has simultaneously added several other actively exploited vulnerabilities to KEV. Among them is CVE‑2024‑43468 in Microsoft products, patched in October 2024 during Patch Tuesday. While a fix is available, public details on the threat actors, exploitation techniques, and campaign scale remain limited.
Additional attention is focused on attacks involving SolarWinds Web Help Desk (WHD). Microsoft reports multi‑stage intrusions where Internet‑exposed WHD instances served as the initial entry point, followed by lateral movement toward higher‑value assets. It is still unclear whether CVE‑2025‑40551, CVE‑2025‑40536, or CVE‑2025‑26399 were used, as the compromises in December 2025 affected servers vulnerable to multiple issues.
CISA has assigned a remediation deadline of 15 February 2026 for CVE‑2025‑40536, and 5 March 2026 for the remaining related flaws, underlining their priority for public‑sector environments.
Another critical entry is CVE‑2026‑20700 in iOS. Apple acknowledges that this vulnerability may have been exploited in “exceptionally sophisticated” attacks against a narrow set of targets on iOS versions prior to iOS 26. Researchers consider it plausible that the exploit was leveraged to deploy commercial spyware. Apple has already shipped a patch, but the case again highlights the value of mobile zero‑days to high‑end threat actors.
Notepad++ Supply Chain Attack and the Role of Lotus Blossom
One of the most concerning campaigns involves exploitation of CVE‑2025‑15556, which Rapid7 attributes to the Chinese state‑linked group Lotus Blossom (also tracked as Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, Thrip). The attackers deployed a previously unknown backdoor dubbed Chrysalis through a carefully executed software supply chain attack on Notepad++.
Investigators estimate that the compromise of the Notepad++ update infrastructure lasted for almost five months, from June to October 2025, with full remediation achieved on 2 December 2025. DomainTools describes the operation as a “quiet, methodical insertion,” consistent with long‑term espionage campaigns that aim to remain undetected for extended periods.
Crucially, the Notepad++ source code itself was never modified. Instead, the attackers trojanized installation packages, bypassing typical code‑integrity checks and review processes. Rather than pushing malicious updates universally, the threat actors selectively redirected update traffic only for high‑value organizations and specialists, particularly developers and system administrators, maximizing intelligence gain while minimizing noise.
Adversary‑in‑the‑Middle Techniques and Covert Malware Delivery
Palo Alto Networks Unit 42 reports that the campaign was designed for long‑term collection of sensitive information. The attackers used an adversary‑in‑the‑middle (AitM) position to dynamically fingerprint inbound update requests and identify priority targets.
Instead of altering the Notepad++ build process, they intercepted traffic from an otherwise trusted utility, effectively turning a routine update mechanism into a concealed malware delivery channel. This approach mirrors other high‑impact supply chain attacks seen over the last decade, including the SolarWinds Orion compromise, and underscores how update infrastructure has become a strategic target for advanced persistent threats.
How CVE‑2026‑1731 Is Used in Real Attacks and What Defenders Should Do Now
Arctic Wolf is observing real‑world intrusions against environments running BeyondTrust Remote Support and Privileged Remote Access by exploiting CVE‑2026‑1731. In these cases, adversaries attempt to deploy the SimpleHelp remote monitoring and management (RMM) tool to achieve persistent access and enable lateral movement across the victim network.
For infrastructure reconnaissance, attackers rely on AdsiSearcher to query Active Directory and use PSExec to mass‑deploy SimpleHelp to multiple systems. Early in the intrusion chain, analysts detect Impacket SMBv2 session setup activity, indicating attempts at two‑way network exploration and expansion.
Given the active exploitation of these vulnerabilities and their presence in CISA’s KEV, organizations should immediately patch BeyondTrust RS and PRA to the latest versions. In addition, Notepad++ should be updated to at least version 8.9.1 (as recommended by LevelBlue SpiderLabs); where appropriate, temporarily disable WinGUp auto‑updates and ensure the updater communicates only with legitimate Notepad++ update servers.
Security teams should implement monitoring for anomalous WebSocket sessions on BeyondTrust portals, the sudden appearance of new RMM tools such as SimpleHelp, large‑scale use of PSExec, suspicious SMB activity, and unusual Active Directory queries. Consistently prioritizing patching based on the CISA KEV list, enforcing strict network segmentation, and applying the principle of least privilege can significantly reduce the attack surface and limit the impact of future exploitation campaigns.
