Critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access allowing unauthenticated attackers to execute OS commands via specially crafted requests. Active exploitation confirmed with CISA KEV listing.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-02-06
Added to CISA KEV: 2026-02-13 7 DAYS BETWEEN CVE AND KEV
Critical CVE-2026-1731 Vulnerability in BeyondTrust Remote Support and PRA Exposes Systems to Remote Code Execution.This is exactly why a vulnerability in these products is so dangerous. BeyondTrust appliances are designed to be internet-facing by default and they hold the keys to an organization’s most sensitive infrastructure. Compromising one doesn’t just give an attacker a single server. It gives them the credential vault, the session recordings, and a direct tunnel into every system the appliance manages.
A PoC for CVE-2026-1731 hit GitHub on Feb 10. Within 24 hours, GreyNoise observed reconnaissance probing for vulnerable BeyondTrust instances.You can look up individual IPs against our dataset at viz.greynoise.io and see classification data for free. The Bottom Line. CVE-2026-1731 follows a predictable but dangerous pattern: critical disclosure, rapid PoC, and immediate reconnaissance. The last time a BeyondTrust pre-auth RCE went unpatched, a nation-state actor exploited it to breach a U.S. government agency.
CVE-2026-1731 has a 2 public PoC/Exploit available at Github. ... Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-1731 weaknesses. ... February 10, 2026Vulnerability SummaryIdentifier: CVE-2026-1731Severity: Critical (CVSS 4.0 base score ~9.9)Type: Pre-authentication remote code execution (RCE) via OS command injectionAffected Softwa ...
The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests. According to BeyondTrust, successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption. Data from GreyNoise revealed that a single IP accounted for 86% of all observed reconnaissance sessions so far.
“Standard BeyondTrust deployments run on HTTPS (port 443), but few sessions target that port. The rest systematically probed clusters of non-standard ports, suggesting the attackers know that enterprises often move BeyondTrust to non-default ports for security-through-obscurity,” the company also noted. What to do? BeyondTrust applied a patch for CVE-2026-1731 to all Remote Support SaaS and Privileged Remote Access SaaS customers on February 2, and urged customers with on-prem instances to patch quickly.