Table of Contents
What Should IT Teams Know About the Actively Exploited BeyondTrust Security Flaw?
Core Advisory
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning regarding CVE-2026-1731, a critical pre-authentication remote code execution vulnerability affecting BeyondTrust’s Remote Support and Privileged Remote Access products. Federal agencies received a three-day deadline to patch their systems, reflecting the severity of active exploitation in the wild.
Understanding BeyondTrust Products
BeyondTrust operates as a U.S.-based cybersecurity vendor specializing in privileged access management solutions. The company’s software portfolio includes password safes, endpoint privilege management tools, secure remote access capabilities, and remote support platforms. Organizations across North America, Germany, Austria, and Switzerland deploy these products to manage privileged sessions and administrative access.
Vulnerability Characteristics
CVE-2026-1731 carries a CVSSv4 score of 9.9, placing it in the critical severity category. The flaw enables unauthenticated attackers to execute operating system commands through specially crafted requests without requiring user interaction.
Affected versions include:
- Remote Support 25.3.1 and earlier
- Privileged Remote Access 24.3.4 and earlier
The vulnerability stems from improper input validation in request handling, allowing command injection through malicious WebSocket requests. Attackers query the /get_portal_info endpoint to obtain the X-Ns-Company identifier, establish a WebSocket channel, and execute arbitrary commands on vulnerable systems.
Timeline and Response
BeyondTrust’s security team detected unusual activity on a single Remote Support device in late January 2026. An external researcher validated the findings and responsibly disclosed the vulnerability on January 31, 2026. Patches BT26-02-RS and BT26-02-PRA were released February 2, 2026, with automatic deployment to cloud instances.
The vendor published a security advisory February 6, 2026, with updates following February 13, 2026. The first exploitation attempts appeared February 10, 2026, approximately eight days after patches became available. Security researcher Ryan Dewhurst confirmed active exploitation February 13, 2026, prompting CISA’s KEV catalog addition February 15, 2026.
Exploitation Impact
Successful exploitation grants attackers multiple capabilities that threaten organizational security. Command execution occurs in the site user context, enabling full system compromise. Privileged access platforms maintain high-trust network positions, expanding the potential blast radius of compromises.
Potential consequences include:
- Unauthorized access to privileged sessions
- Credential theft and lateral movement to managed endpoints
- Data exfiltration from connected systems
- Service disruption affecting remote access capabilities
- Persistent access establishment for prolonged compromise
Approximately 11,000 BeyondTrust Remote Support instances remain exposed online, with 8,500 representing on-premises deployments requiring manual patching.
Remediation Requirements
Organizations must apply vendor patches immediately to mitigate CVE-2026-1731. Cloud-hosted instances received automatic patches February 2, 2026, but self-hosted deployments require manual intervention.
Recommended patch versions:
- Remote Support: Patch BT26-02-RS (versions 21.3 through 25.3.1) or upgrade to 25.3.2 and later
- Privileged Remote Access: Patch BT26-02-PRA (versions 22.1 through 24.X) or upgrade to 25.1 and later
Network access to BeyondTrust services should be restricted to trusted administrative networks only. Organizations should monitor for unexpected command execution, abnormal remote session behavior, and suspicious activity on internet-facing appliances.
Incident Response Considerations
Security teams suspecting exploitation should isolate affected hosts immediately and confirm patch levels. Forensic analysis should focus on evidence of OS command execution, unauthorized session creation, and anomalous administrative activity. Credential rotation becomes necessary for potentially exposed accounts, with comprehensive review of remote access logs for suspicious operator actions.
Unpatched devices should be treated as compromised given the availability of public proof-of-concept code on GitHub and confirmed exploitation activity. Federal agencies operating under Binding Operational Directive 22-01 must complete remediation or discontinue product use if mitigations prove unavailable.