BeyondTrust Breach: Protect Your Salesforce Org from Hackers

Hackers have started exploiting a vulnerability in software from BeyondTrust – a cybersecurity and identity access company that integrates with Salesforce. 

BeyondTrust Remote Support (RS) and “certain older versions” of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability, according to the US Government’s National Vulnerability Database. By sending specially crafted requests, an unauthenticated remote attacker might be able to execute operating system commands in the context of the site user. Let’s take a look at what happened. 

BeyondTrust Exploit Timeline

BeyondTrust was one of many companies – along with Google, Cloudflare, Rubrik, and Tenable – said to have been impacted in the Salesloft data breaches late last year. 

The ShinyHunters hacking group previously told BleepingComputer that the Salesloft campaign affected around 760 companies, resulting in the theft of 1.5 billion Salesforce records.

Attackers have now started actively exploiting the pre-authentication vulnerability from BeyondTrust, and proactive threat intelligence group watchTowr has warned users to assume that self-hosted BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) instances are now compromised if they have not been patched since the February 6 disclosure.

Roughly 11,000 instances are exposed to trivial exploitation, researchers at Hacktron claimed. 

In an advisory, BeyondTrust warned: “BeyondTrust Remote Support and older versions of Privileged Remote Access contain a critical pre-authentication remote code execution vulnerability that may be triggered through specially crafted client requests. 

“Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

Here’s how the incident unfolded: 

• January 31, 2026: BeyondTrust discovers “anomalous activity” on a single Remote Support appliance. An external security researcher confirms and validates this activity, and reports the vulnerability in Remote Support and Privileged Remote Access to BeyondTrust. Triage and root cause analysis completed. Patch development begins.
• February 2: Patches are issued and automatically deployed to all instances with BeyondTrust’s update service enabled. BeyondTrust SaaS instances are fully patched.
• February 3: A knowledge article is published on the customer portal advising customers to patch.
• February 4: An email notification was sent to all active self-hosted customers who had not already patched.
• February 6: A BeyondTrust Security Advisory and CVE are published. A follow-up email notification is sent to all active self-hosted customers who had not already patched.
• February 10: An initial exploitation attempt is observed. A Subsequent email notification is sent to all active self-hosted customers who had not already patched.
• Time of writing (February 16): BeyondTrust says it is continuing to support customers in their patching, investigation, and response.

BeyondTrust is “strongly encouraging” all self-hosted customers who had internet-exposed instances that remained unpatched as of February 9 to take immediate action to apply the recommended updates and open a “Severity 1” ticket to BeyondTrust support, citing “BT26-02” in the description.

The company acknowledges Harsh Jaiswal and Hacktron AI for responsibly disclosing the vulnerability to BeyondTrust. Hacktron AI identified the vulnerability “through their novel approach to AI-enabled variant analysis”, the BeyondTrust said.

BeyondTrust-Salesforce Integration Explained

BeyondTrust documentation states that Service desks and customer support organizations using Salesforce can integrate with BeyondTrust. 

This integration with Remote Support allows technicians to launch BeyondTrust sessions from within Salesforce cases using the Generate Session Key button. BeyondTrust session data is also written back to Salesforce cases. 

Integration includes chat transcripts, system information, session notes, customer and representative surveys, session recordings, and more details about each BeyondTrust session.

Base integration requirements include a working Salesforce instance, and BeyondTrust Appliance B Series (physical or virtual) with:

• Version 17.x or later
• At least one usable representative console that can generate session keys
• A working BeyondTrust Remote Support public site through which users can connect to representatives

You also need Network firewall rules to allow TCP 443 traffic from the appropriate Salesforce instance to reach the BeyondTrust Appliance B Series.

Developer-turned-architect and Technology Engagement Manager at Banham Patent Locks, Beech Horn, told SF Ben that we might be beyond the point of focusing on single flaws – and their fixes – and we now need to pay attention to the systems in place from vendors.

He said: “If BeyondTrust isn’t using AI to test the security of their product, attackers are, and they should be thankful someone even took the time to find and report it to them.

“This is only going to get worse as we move from token by token AI assessment to graph based AST analysis, taking exploits from diverse sources and applying them anew to systems that have never seen the like before, able to reverse engineer products and find their flaws. 

“If you’re a vendor not learning to use AI to scale up your defences, you’ll soon be outnumbered, surrounded, and in the headlines.”

SF Ben has contacted Salesforce for comment. 

Summary

Hackers are exploiting a vulnerability in BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access, which have a critical pre-authentication remote code execution vulnerability. 

Remote attackers sending specially crafted requests could execute operating system commands in the context of the site user.