CISA KEV Catalog Updated with Actively Exploited BeyondTrust and SolarWinds RMM Flaws

CISA Mandates Patching for Critical RMM Vulnerabilities in BeyondTrust and SolarWinds Products Amid Active Exploitation

CRITICAL
February 20, 2026
4m read
VulnerabilityPatch ManagementRegulatory

Related Entities

Products & Tech

BeyondTrust Remote SupportBeyondTrust Privileged Remote AccessSolarWinds Web Help Desk

CVE Identifiers

CVE-2026-1731
CRITICAL
CVSS:9.9
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1203Execution

Exploitation for Client Execution

T1219Command and Control

Remote Access Software

T1068Privilege Escalation

Exploitation for Privilege Escalation

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical directive by adding multiple vulnerabilities in remote monitoring and management (RMM) products from BeyondTrust and SolarWinds to its Known Exploited Vulnerabilities (KEV) catalog. This action serves as official confirmation that these flaws are under active exploitation by threat actors. The affected products, including BeyondTrust Remote Support, Privileged Remote Access, and SolarWinds Web Help Desk, are high-value targets as they provide deep, privileged access into enterprise networks. CISA has given Federal Civilian Executive Branch (FCEB) agencies a three-day deadline to apply patches, signaling the extreme urgency of the threat for all organizations using these tools.

Vulnerability Details

The advisory highlights several critical flaws, with a particular focus on remote code execution (RCE) vulnerabilities that allow attackers to gain an initial foothold and execute arbitrary code.

  • Products: BeyondTrust Remote Support, BeyondTrust Privileged Remote Access, SolarWinds Web Help Desk
  • Key Vulnerability: CVE-2026-1731 (CVSS 9.9 - Critical) in SolarWinds Web Help Desk allows for remote code execution.
  • Impact: Successful exploitation grants attackers privileged access, allowing them to deploy malware, move laterally, and execute ransomware attacks.

Threat intelligence indicates that attackers are engaged in mass scanning of the internet, actively hunting for unpatched, vulnerable instances of these RMM tools. A compromised RMM solution is a 'keys to the kingdom' scenario, enabling attackers to bypass perimeter defenses and manage endpoints as if they were legitimate administrators.

Affected Systems

  • BeyondTrust Remote Support (versions prior to the latest patch)
  • BeyondTrust Privileged Remote Access (versions prior to the latest patch)
  • SolarWinds Web Help Desk (versions vulnerable to CVE-2026-1731)

All organizations utilizing these products are urged to immediately identify their exposure and prioritize remediation.

Exploitation Status

CISA's inclusion in the KEV catalog confirms these vulnerabilities are not theoretical. They are being actively and widely exploited in the wild. The primary attack vector is an unauthenticated attacker on the internet scanning for and attacking exposed, vulnerable RMM servers. The observed activity is a precursor to more significant intrusions, including data theft and ransomware deployment.

Impact Assessment

The business impact of exploiting these vulnerabilities is severe. Attackers can:

  • Gain administrative control over the RMM platform.
  • Deploy malicious tools or ransomware to all connected endpoints managed by the RMM.
  • Exfiltrate sensitive data from across the enterprise network.
  • Establish persistent access for long-term espionage.

For any organization, a compromised RMM tool represents a catastrophic failure of security controls, potentially leading to a complete network compromise, extensive downtime, and significant financial and reputational damage. The short patching deadline from CISA underscores this critical risk.

Cyber Observables for Detection

Type Value Description
url_pattern /WebHelpDesk/ Default URL path for SolarWinds Web Help Desk. Monitor for unusual requests to this path.
process_name WebHelpDesk.exe The main process for SolarWinds Web Help Desk. Monitor for suspicious child processes.
url_pattern /login/login.pro Common login interface for BeyondTrust products. Monitor for brute-force attempts or access from unusual IPs.
network_traffic_pattern Mass scanning activity on ports 80, 443, 8080 Threat actors scanning for exposed RMM web interfaces.

Detection Methods

  • Vulnerability Scanning: Immediately run authenticated and unauthenticated vulnerability scans across your entire IP space to identify any instances of the affected BeyondTrust and SolarWinds products. Pay close attention to version numbers.
  • Log Analysis: Scrutinize web server logs for the RMM tools for any anomalous requests, exploit signatures (e.g., unusual URL parameters), or access attempts from unknown IP addresses. Monitor for signs of Exploitation for Client Execution (T1203).
  • Endpoint Monitoring: On the RMM servers themselves, monitor for the creation of new files, unexpected processes, or outbound network connections. Use an EDR solution to detect suspicious child processes spawned by the main RMM application process. This aligns with D3FEND Process Analysis (D3-PA).

Remediation Steps

  1. Patch Immediately: This is the highest priority. Apply the security updates provided by BeyondTrust and SolarWinds immediately. This is the core of D3FEND Software Update (D3-SU).
  2. Restrict Access: If patching cannot be done instantly, restrict all access to the RMM web interfaces from the internet. Place them behind a VPN or enforce a strict IP allowlist. This is a critical compensating control.
  3. Assume Breach: Given the active exploitation, if your systems were exposed and unpatched, you should assume they may have been compromised. Initiate a hunt for suspicious activity, looking for signs of persistence, new local accounts, or unusual network traffic.
  4. Review Segmentation: Ensure your RMM servers are in a properly segmented network zone and cannot directly access Tier 0 assets like domain controllers without passing through additional security controls.

Timeline of Events

1
February 20, 2026
CISA adds vulnerabilities in BeyondTrust and SolarWinds products to the KEV catalog.
2
February 20, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to apply the security patches provided by the vendors immediately.

Limit Access to Resource Over Network

M1035enterprise

Restrict network access to the administrative interfaces of RMM tools. They should not be exposed to the public internet.

Application Isolation and Sandboxing

M1048enterprise

Run public-facing applications in isolated environments to limit the impact of a compromise.

Network Segmentation

M1030enterprise

Use network segmentation to prevent attackers who compromise an RMM tool from moving laterally to other critical systems.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most critical and immediate action is to apply the security patches released by BeyondTrust and SolarWinds. Given that CISA has added these vulnerabilities to the KEV catalog, there is no time for delay. Organizations must activate their emergency patching procedures. This involves identifying all instances of the vulnerable software using asset inventory and vulnerability scanning tools, testing the patch in a non-production environment if possible (though the urgency may require direct deployment), and rolling it out to all affected systems. Verification is key: after deployment, re-scan the systems to confirm they are no longer reported as vulnerable. For RMM tools, which have high privileges, maintaining an up-to-date software inventory and a rapid patching capability is not just a best practice; it is an essential security function.

Network Isolation

D3-NIMaps to MITREM1035
D3FEND

As a powerful compensating control, especially if patching is delayed, organizations must implement Network Isolation for their RMM servers. Under no circumstances should the administrative web interface of a powerful tool like BeyondTrust or SolarWinds Web Help Desk be directly accessible from the public internet. Access should be restricted to a management VLAN and require users to first connect to a VPN with multi-factor authentication. This creates a layered defense; an attacker would first need to compromise the VPN before they could even attempt to exploit the RMM vulnerability. This drastically reduces the attack surface from 'the entire internet' to 'a small group of authenticated administrators', making mass scanning and opportunistic attacks impossible.

Sources & References

Top 5 Cybersecurity News Stories February 20, 2026
DIESEC (diesec.com)
February 2026: Recent Cyber Attacks, Data Breaches, Ransomware Attacks
Cyber Management Alliance (cybermanagementalliance.com)
Cyber Briefing
YouTube (youtube.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

cisakevbeyondtrustsolarwindsrmmvulnerabilitypatching

📢 Share This Article

Help others stay informed about cybersecurity threats