BeyondTrust fixes easy-to-exploit pre-auth RCE vulnerability in remote access tools (CVE-2026-1731)

BeyondTrust fixed a critical remote code execution vulnerability (CVE-2026-1731) in its Remote Support (RS) and Privileged Remote Access (PRA) solutions and is urging self-hosted customers to apply the patch as soon a possible.

Unlike the Remote Support zero-day (CVE-2024-12356) that was flagged after having been exploited by China-nexus threat actors to breach the US Treasury Department in late 2024, this newest vulnerability was discovered and privately disclosed by a security researcher.

About CVE-2026-1731

BeyondTrust Privileged Remote Access is a remote help/remote access tool for IT and support teams to troubleshoot and fix problems on enterprise endpoints.

BeyondTrust Privileged Remote Access (PRA) is a product designed to provide privileged users (IT admins, third-party vendors, etc.) secure, controlled, and audited access to internal systems.

Organizations can deploy both solutions either on-premises or in the cloud, including via software-as-a-service (SaaS) models.

CVE-2026-1731 is caused by improper neutralization of special elements used in an OS command. It can be triggered by unauthenticated remote attackers sending a specially crafted client request to a vulnerable BeyondTrust RS or PRA instance.

“Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user,” BeyondTrust says.

“Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

What to do?

CVE-2026-1731 affects Remote Support versions 25.3.1 and prior and Privileged Remote Access versions 24.3.4 and prior.

BeyondTrust has applied the patch for its Remote Support SaaS and Privileged Remote Access SaaS customers on February 2, 2026, and is now urging self-hosted customers to either apply the patch and/or upgrade to a fixed version.

“Customers on a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 will need to upgrade to a newer version to apply this patch,” the company added.

While there is no indication that CVE-2026-1731 is being leveraged by attackers, skilled attackers may quickly reverse-engineer the patch, pinpont the vulnerability, and devise an exploit.

The flaw was reported by Harsh Jaiswal and the Hacktron AI team, who pointed out that there are around 8,500 internet-facing on-prem Remote Support deployments out there that may be vulnerable if patches aren’t applied.

“At this time, we are withholding technical details to allow affected parties sufficient time to apply patches. We strongly recommend addressing this vulnerability promptly, as exploitation is straightforward,” they added.

UPDATE (February 12, 2026, 05:10 a.m. ET):

Rapid7 has analyzed the patch for CVE-2026-1731 and released a proof-of-concept (PoC) exploit.

UPDATE (February 13, 2026, 03:40 p.m. ET):

Several companies have reported in-the-wild exploitation of the vulnerability.

UPDATE (February 20, 2026, 10:05 a.m. ET):

CVE-2026-1731 is being leveraged in ransomware campaigns.

The US Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities catalog on February 13, updated the entry yesterday to confirm this activity.

Palo Alto Networks’ Unit 42 is actively investigating multiple compromises related to the exploitation of CVE-2026-1731 and says that the attackers are set on data theft.

“The attackers targeted configuration files, internal system databases and a full PostgreSQL dump, attempting to transmit data to an attacker-controlled C2 server,” the company shared on Thursday.

Victim organizations span multiple sectors, including financial services, healthcare, education, technology, legal, and retail. They are also spread across North America (both the US and Canada), France, Germany, and Australia.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!