# References — BeyondTrust Privilege Management for Windows CVE-2026-1232 Annotated bibliography of primary and secondary sources used in this analysis, organized by category. --- ## Primary Sources — Vendor Advisory & Official Records **BeyondTrust — Security Advisory BT26-01** https://www.beyondtrust.com/trust-center/security-advisories/bt26-01 The authoritative vendor advisory for CVE-2026-1232, published February 2, 2026. Provides the CVSSv4 score of 6.8, the full vector string (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N), CWE-693 classification, affected version range (≤ 25.7), and fixed version (25.8 or later). Most importantly, it provides the precise technical description used in the Vulnerability Chain section: "In specific scenarios, these session restrictions may not be consistently enforced across all elevated execution paths." This is the single most authoritative source for every factual claim in this writeup. **BeyondTrust — Knowledge Base Article KB0023100** https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0023100 BeyondTrust's operational upgrade guide for CVE-2026-1232. Contains deployment-specific patch instructions, upgrade path considerations, and known issues with the upgrade process. Referenced in the Remediation section as the definitive source for administrators applying the patch. Access may require a BeyondTrust support account. **NVD — CVE-2026-1232** https://nvd.nist.gov/vuln/detail/CVE-2026-1232 NIST National Vulnerability Database entry for CVE-2026-1232. Confirms the CVSSv4 Base Score of 6.8 (Medium) as submitted by BeyondTrust as the CNA, the CWE-693 classification, and the official technical description. The CVSS vector breakdown in the analysis.md document and the "Why Medium Severity Does Not Mean Low Risk" discussion both draw from the specific vector components documented here. Note: NVD's own enrichment assessment was not yet complete at time of writing; the CNA-submitted score is used throughout this writeup. **CVE.org — CVE-2026-1232 Record** https://www.cve.org/CVERecord?id=CVE-2026-1232 The canonical CVE Program record. Confirms the CVE identifier, description, and cross-references to BeyondTrust's advisory and NVD entry. Used for identifier verification and as the reference organizations should use when tracking this vulnerability in vulnerability management tooling. --- ## Detection Engineering **Tenable — Nessus Plugin 298005** https://www.tenable.com/plugins/nessus/298005 Tenable's detection plugin for CVE-2026-1232, published February 3, 2026 — one day after the advisory. Confirms the version-based detection approach (checking installed version against the ≤ 25.7 threshold), provides the recommended upgrade target, and links to BeyondTrust's advisory. Used in the Timeline section to establish the 72-hour disclosure-to-coverage timeframe and referenced in the Detection section as the basis for the version audit approach. **SentinelOne — Vulnerability Database: CVE-2026-1232** https://www.sentinelone.com/vulnerability-database/cve-2026-1232/ SentinelOne's third-party vulnerability database entry, published February 5, 2026. Provides a technical summary consistent with BT26-01, remediation guidance (upgrade to > 25.7), and references to BeyondTrust's KB article. Used as a cross-reference for the technical description and as evidence of the broad third-party awareness that followed the advisory. **Microsoft — Windows Event Log Event IDs Reference** https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor Microsoft's reference for Windows security event IDs recommended for monitoring. The Detection section's event log queries (Event IDs 4670, 4657, 7036, 7040, 4688) are grounded in Microsoft's own guidance on which events indicate object permission changes, registry modifications, service state changes, and process creation activity — all relevant to detecting anti-tamper bypass exploitation. **MITRE ATT&CK — T1562.001: Impair Defenses — Disable or Modify Tools** https://attack.mitre.org/techniques/T1562/001/ The ATT&CK technique covering adversary modification or disabling of security tools. The post-bypass consequence scenarios in the Vulnerability Chain (Stage 4) and the Attack Surface section map directly to this technique. The detection guidance in ATT&CK for T1562.001 informed the SIEM and KQL queries in the Detection section. Organizations should map CVE-2026-1232 remediation to T1562.001 in their detection coverage matrix. **MITRE ATT&CK — T1562.006: Impair Defenses — Indicator Blocking** https://attack.mitre.org/techniques/T1562/006/ Covers scenarios where an adversary modifies security tool configuration to suppress telemetry or logging. Directly relevant to the "audit suppression" consequence scenario described in Stage 4 of the Vulnerability Chain — if the bypass is used to modify BeyondTrust's logging configuration, this technique describes the downstream effect. Referenced in the Systemic Lessons section when discussing why configuration integrity monitoring is more important than service uptime monitoring. --- ## Vulnerability Classification Context **MITRE CWE-693 — Protection Mechanism Failure** https://cwe.mitre.org/data/definitions/693.html Authoritative definition of CWE-693, the vulnerability class assigned to CVE-2026-1232. Defines a protection mechanism failure as a case where "the product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product." Distinguishes CWE-693 from CWE-284 (missing protection) and CWE-862 (missing authorization check). The conceptual framing of the vulnerability in the Executive Summary and Vulnerable Design sections draws directly from this definition. **MITRE CWE-362 — Concurrent Execution Using Shared Resource with Improper Synchronization (Race Condition)** https://cwe.mitre.org/data/definitions/362.html Adjacent CWE referenced in the analysis discussion of possible root causes. The advisory's language — "may not be consistently enforced across all elevated execution paths" — is consistent with either a path-enumeration gap or a race condition between protection check and protected state access. CWE-362 provides the technical framing for the latter possibility. --- ## Government & Regulatory Response **Canadian Centre for Cyber Security — Advisory AV26-077** https://www.cyber.gc.ca/en/alerts-advisories/beyondtrust-security-advisory-av26-077 The Canadian Centre for Cyber Security's advisory issued February 2, 2026, the same day as BT26-01. Recommends that users and administrators upgrade Privilege Management for Windows to versions 25.8 or later. Confirms government-level external validation of the BeyondTrust advisory and provides an independent recommendation. Referenced in the Timeline section to establish the speed of government advisory response and in the References section of the main README. **CISA — Known Exploited Vulnerabilities Catalog** https://www.cisa.gov/known-exploited-vulnerabilities-catalog CISA's KEV catalog, checked as of June 2026. CVE-2026-1232 is not listed in the catalog at the time of writing, consistent with the absence of confirmed exploitation in the wild. Organizations should monitor for any future addition that would indicate active exploitation and trigger emergency patching timelines under CISA's Binding Operational Directive 22-01. **NIST SP 800-53 Rev. 5 — Control SI-7: Software, Firmware, and Information Integrity** https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-7 NIST 800-53 control requiring integrity verification mechanisms to detect unauthorized changes to software and configuration. The Long-Term Hardening recommendations in the Remediation section — particularly treating BeyondTrust configuration as a change-controlled asset and integrating integrity checks into endpoint health monitoring — are grounded in the implementation requirements of SI-7. Organizations subject to FedRAMP, FISMA, or CMMC Level 2/3 should map CVE-2026-1232 remediation activities to SI-7 compliance evidence. --- ## Broader Context — BeyondTrust Security History & Endpoint Privilege Management **BeyondTrust — Security Advisory BT26-02 (CVE-2026-1731)** https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 BeyondTrust's advisory for CVE-2026-1731, a separate critical vulnerability in BeyondTrust Remote Support and Privileged Remote Access, published February 6, 2026. Referenced in the Background section to establish the elevated scrutiny BeyondTrust advisories receive following prior high-severity disclosures. Not related to CVE-2026-1232 but provides important context for why the security community and BeyondTrust's customer base treat their advisories as high-visibility events. **NIST SP 800-167 — Guide to Application Whitelisting** https://csrc.nist.gov/publications/detail/sp/800-167/final NIST guidance on application whitelisting, the broader category of endpoint control that BeyondTrust Privilege Management implements. Provides the architectural context in which CVE-2026-1232's impact should be understood — a bypass in an application whitelisting or privilege management tool undermines the compensating control that organizations deploy specifically because they cannot achieve security through other means alone. **CrowdStrike — Protecting the Falcon Sensor from Tampering** https://www.crowdstrike.com/blog/tech-center/protecting-falcon-sensor/ CrowdStrike's description of their kernel-mode tamper protection architecture. Referenced in the Systemic Lessons section as a contrast to userspace-only anti-tamper implementations — CrowdStrike's use of a kernel driver as the primary protection layer directly addresses the architectural weakness that CVE-2026-1232 exposes. Reading this alongside BT26-01 illustrates the architectural difference between kernel-enforced and session-enforced anti-tamper protection. **Microsoft — Windows Integrity Levels and Mandatory Integrity Control** https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control Microsoft documentation on Windows mandatory integrity control. Provides technical background for why elevated local privileges are a meaningful precondition for CVE-2026-1232: reaching certain protected objects requires both discretionary access (being the right user account) and mandatory access (operating at the right Windows integrity level). The discussion of session-level restrictions in the Vulnerability Chain section is grounded in these Windows security primitives. **Microsoft — Windows Service Security and Access Rights** https://learn.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights Microsoft documentation on Windows service security descriptors and the access rights that govern who can start, stop, pause, and reconfigure services. Provides technical background for the service-level tamper detection queries in the Detection section and for understanding why service hardening alone (via security descriptors) is an incomplete anti-tamper mechanism when the attacker has elevated local privileges. --- ## Summary of Core Compromise Metrics | Metric | Detail / Value | | :--- | :--- | | **Date of Attack** | February 2, 2026 | | **Infected Versions** | `BeyondTrust Privilege Management for Windows versions ≤ 25.7 (versions 25.0–25.7)` | | **Injected Dependency**| Not applicable — this is an anti-tamper bypass vulnerability, not a dependency injection attack | | **Primary Vector** | Local — requires authenticated user with elevated privileges on the target system | | **Threat Actor** | Local authenticated users with elevated privileges (insider/threat requiring prior access) | | **Payload Names** | Not applicable — no specific malware payload; the exploit bypasses anti-tamper protections to modify product configuration |