🔴 CVE-2026-1731

Critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access allowing unauthenticated attackers to execute OS commands via specially crafted requests. Active exploitation confirmed with CISA KEV listing.

← Back to Overview
HIGH_RISK
Risk Level
9.9
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
Yes (+6d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-02-06

Added to CISA KEV: 2026-02-13 7 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-18)

CVE-2026-1731 is a critical vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) software, allowing unauthenticated remote code execution (RCE) [3][8]. The vulnerability has a CVSS score of 9.9 [3][8].

Here's a breakdown of what is known about its exploitation:

  • Internet-Facing Applications or Services: BeyondTrust appliances are often internet-facing by default, making them a prime target. Compromising these systems can grant attackers access to an organization's most sensitive infrastructure, including credential vaults and managed systems [1]. Internet-facing instances are distributed across various industries, with a notable concentration in technology, hospitality, healthcare, and energy sectors [6].
  • Evidence of Active Exploitation in the Wild: Active exploitation of CVE-2026-1731 has been confirmed by multiple sources [1][10]. Reconnaissance efforts were observed within 24 hours of a proof-of-concept (PoC) exploit becoming available on GitHub [2][15]. Threat actors have been observed probing for vulnerable BeyondTrust instances, sometimes targeting non-standard ports [5].
  • Attack Vectors and Exploitation Methods: The vulnerability is an operating-system command injection flaw that can be exploited by sending specially crafted requests to a WebSocket endpoint [1][3]. Successful exploitation allows an unauthenticated remote attacker to execute operating system commands in the context of the site user, leading to full system compromise, unauthorized access, data exfiltration, and service disruption [4][8]. The attack complexity is low, requiring minimal effort to exploit [9].
  • Use in Targeted Attacks: While not explicitly stated that CVE-2026-1731 has been used in specific, named targeted attacks, the nature of the vulnerability and the platform it affects (privileged remote access) makes it a high-value target for sophisticated attackers. Given that similar BeyondTrust vulnerabilities have been exploited by nation-state actors in the past, there is a significant risk of this vulnerability being used in targeted attacks [2].
  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2026-1731 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog [7][10]. This designation is based on evidence of active exploitation in the wild and mandates that U.S. federal agencies implement security measures to protect against this vulnerability.
  • Technical Details about Internet Exploitability: The vulnerability resides in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) [7][12]. It is a pre-authentication RCE vulnerability, meaning an attacker does not need to be authenticated to exploit it [3][14]. The exploitation involves sending specially crafted requests that trigger OS command injection [13]. Publicly available technical details regarding the root cause and vulnerable code paths were initially limited, but the ease of exploitation is high due to the lack of authentication requirements [9][11]. A patch is available from BeyondTrust for affected on-premise deployments [5][10].

Sources

  1. Reconnaissance Has Begun for the New BeyondTrust ...

    A PoC for CVE-2026-1731 hit GitHub on Feb 10. Within 24 hours, GreyNoise observed reconnaissance probing for vulnerable BeyondTrust instances.You can look up individual IPs against our dataset at viz.greynoise.io and see classification data for free. ‍ The Bottom Line. CVE-2026-1731 follows a predic…

  2. CVE-2026-1731: Critical BeyondTrust Remote Support... | Orca Security

    Critical CVE-2026-1731 Vulnerability in BeyondTrust Remote Support and PRA Exposes Systems to Remote Code Execution.This is exactly why a vulnerability in these products is so dangerous. BeyondTrust appliances are designed to be internet-facing by default and they hold the keys to an organization’s…

  3. CVE-2026-1731 - Remote code execution vulnerability

    CVE-2026-1731 has a 2 public PoC/Exploit available at Github. ... Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-1731 weaknesses. ... February 10, 2026…

  4. Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable...

    The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests. According to BeyondTrust, successful exploitation of the shortcoming could allow an unauthenticated remote attacker t…

  5. Hackers probe, exploit newly patched BeyondTrust RCE flaw (CVE-2026-1731)

    “Standard BeyondTrust deployments run on HTTPS (port 443), but few sessions target that port. The rest systematically probed clusters of non-standard ports, suggesting the attackers know that enterprises often move BeyondTrust to non-default ports for security-through-obscurity,” the company also no…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed