Don’t Hack On Me — Signal February 14, 2026

The Story

Remember the BeyondTrust vulnerability that let Chinese state-sponsored group Silk Typhoon breach the U.S. Treasury Department in late 2024? Same product. Same WebSocket endpoint. New code path. And this time it’s worse.

CVE-2026-1731 is a critical (CVSS 9.9) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). An unauthenticated attacker can execute arbitrary OS commands via specially crafted requests — no credentials required, no user interaction needed. It affects RS versions 25.3.1 and prior and PRA versions 24.3.4 and prior. Roughly 8,500 self-hosted instances are exposed to the internet, and BeyondTrust serves 20,000+ customers including 75% of the Fortune 100.

Here’s where it gets interesting: this vulnerability was discovered by Hacktron AI through AI-enabled variant analysis of CVE-2024-12356 — the same vulnerability class that enabled the Treasury breach. An AI system found a variant of a nation-state-exploited flaw through automated analysis. That’s a first worth paying attention to.

The timeline is aggressive. BeyondTrust published advisory BT26-02 on February 6 and auto-patched SaaS customers on February 2. A proof-of-concept exploit hit GitHub on February 10. GreyNoise detected active reconnaissance probing within 24 hours. Attackers are already in the wild — Arctic Wolf confirmed exploitation attempts deploying the SimpleHelp RMM tool for persistence and lateral movement. CISA added CVE-2026-1731 to the Known Exploited Vulnerabilities catalog on February 13 with a remediation deadline of February 16. That’s a three-day window. CISA doesn’t do that unless it’s bad.

Source: BT26-02 Security Advisory (BeyondTrust, February 6, 2026)

Who’s Covering This

• Rapid7 — Technical breakdown of the vulnerability, affected versions, and fix versions. (February 9, 2026)

• GreyNoise — Active scanning detected within 24 hours of PoC release. Also observed the old Silk Typhoon exploit chain (CVE-2024-12356 + CVE-2025-1094) still being replayed as recently as January 2026. (February 12, 2026)

• The Hacker News — Confirmed in-the-wild exploitation of the CVSS 9.9 vulnerability. (February 2026)

• Hacktron AI — The discoverers. Describes how AI-enabled variant analysis found the flaw and the responsible disclosure process. (February 6, 2026)

• CISA — Added to KEV catalog with a February 16 remediation deadline. (February 13, 2026)

• Arctic Wolf — Detected attackers exploiting CVE-2026-1731 to deploy SimpleHelp RMM tool for persistence and lateral movement. (February 2026)

What Does This Mean to Me?

If you’re in security operations: If your organization runs BeyondTrust Remote Support or Privileged Remote Access on-prem, this is a drop-everything patch. Self-hosted instances need to be updated immediately — CISA’s three-day window ends February 16. SaaS customers were auto-patched on February 2, but verify with your BeyondTrust admin. While you’re at it, hunt for indicators of the SimpleHelp RMM tool in your environment — Arctic Wolf confirmed attackers are deploying it post-exploitation for persistence and lateral movement. If you had unpatched instances exposed to the internet before the fix, assume possible compromise and scope an investigation.

Also worth noting: GreyNoise observed the old Silk Typhoon exploit chain (CVE-2024-12356) still being replayed as recently as January 2026. If you patched the first one but haven’t patched this new variant, you’re still exposed on the same endpoint.

If you’re in leadership: This is the same product that enabled a nation-state breach of the U.S. Treasury, and it’s the same vulnerability class on the same endpoint. That’s a pattern, not a coincidence. If your organization relies on BeyondTrust for privileged access — and if you’re in the Fortune 100, there’s a 75% chance you do — this should trigger a broader conversation about your architecture. Privileged access tools sit at the heart of your trust model. When they have pre-auth RCE flaws, attackers don’t need credentials. They don’t even need to knock.

The AI discovery angle matters for your strategy too. This is one of the first major CVEs discovered by an AI system through variant analysis. That’s going to accelerate. Vulnerability discovery is getting faster on both sides — AI is finding bugs before and after the bad guys. The good news: responsible disclosure worked here. Hacktron found it, reported it, BeyondTrust patched it. But the window between disclosure and exploitation is shrinking to hours, not days. Your patching programs need to match that pace.

The bigger picture: We’re going to see more of this. AI-enabled variant analysis means that when a vulnerability class is found in a product, every related code path in that product gets scrutinized at machine speed. For defenders, that’s ultimately good — bugs get found and fixed faster. For attackers, it means they can automate the same analysis. The race between discovery and exploitation is getting faster on both sides. The organizations that survive are the ones that can patch at the speed the threat demands. CISA giving a three-day remediation window is the clearest signal yet that the old “patch within 30 days” cadence is dead for critical vulns.

Stay alert. Don’t let them hack on you.

Subscribe to Don't Hack On Me

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.