BeyondTrust Pre-Authentication RCE in Remote Support and Privileged Remote Access (CVE-2026-1731)
BeyondTrust released security updates for a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). Tracked as CVE-2026-1731 (CVSS 9.9), the issue is described as an operating system command injection that can be triggered via specially crafted requests without authentication, allowing an attacker to execute OS commands in the context of the site user and potentially enabling unauthorized access, data exfiltration, and service disruption.
Affected versions include Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier. BeyondTrust provided fixes via RS Patch BT26-02-RS / RS 25.3.2+ and PRA Patch BT26-02-PRA / PRA 25.1.1+, and urged self-hosted customers to manually apply updates if not enrolled in automatic updates; older deployments (e.g., RS <21.3 or PRA <22.1) must first upgrade to a supported release line to apply the remediation. BeyondTrust’s SaaS instances were patched automatically (reported as completed on 2026-02-02), reducing exposure primarily to organizations operating self-managed installations.
Timeline
Feb 16, 2026
Canadian Cyber Centre issues alert citing active exploitation
The Canadian Centre for Cyber Security released Alert AL26-003 warning that open-source reporting indicated CVE-2026-1731 was being exploited in the wild. It advised organizations to patch, review logs, restrict management interfaces, and remove internet exposure until remediation was complete.
Feb 13, 2026
CISA sets February 16 deadline for federal remediation
Under Binding Operational Directive 22-01, CISA ordered Federal Civilian Executive Branch agencies to remediate CVE-2026-1731 by February 16, 2026. The directive reflected the short timeline imposed because the flaw was already being exploited in the wild.
Feb 13, 2026
CISA adds CVE-2026-1731 to the KEV catalog
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency warned that the BeyondTrust flaw posed significant risk to federal networks and urged prioritized remediation.
Feb 13, 2026
Arctic Wolf links exploitation to post-compromise intrusion activity
Arctic Wolf reported a threat campaign exploiting CVE-2026-1731 to deploy SimpleHelp for persistence, perform Active Directory discovery, create privileged accounts, and move laterally with PsExec and Impacket SMB activity. The findings showed attackers were using the flaw for broader network takeover rather than simple opportunistic access.
Feb 12, 2026
In-the-wild exploitation of CVE-2026-1731 is confirmed
watchTowr, GreyNoise, Defused Cyber, and other researchers reported active exploitation of CVE-2026-1731 against self-hosted BeyondTrust deployments. Security guidance shifted from urgent patching to assuming exposed unpatched systems may already be compromised.
Feb 12, 2026
Researchers publish technical exploitation details and detection observations
Security researchers disclosed that attackers were abusing the /get_portal_info endpoint to obtain the x-ns-company identifier and then using a WebSocket channel to execute commands. Reports from GreyNoise, Defused Cyber, Rapid7, and others also described scanning activity, Nuclei-based checks, and multiple exploit tools in use.
Feb 11, 2026
GreyNoise observes reconnaissance for vulnerable BeyondTrust systems
By February 11, GreyNoise detected active probing for vulnerable BeyondTrust RS and PRA instances following the PoC release. The scanning was heavily concentrated from a single VPN-associated IP and often targeted non-standard ports, suggesting operators understood enterprise deployment patterns.
Feb 10, 2026
Public PoC exploit for CVE-2026-1731 is posted to GitHub
A proof-of-concept exploit for CVE-2026-1731 was published online, lowering the barrier to weaponization of the newly disclosed BeyondTrust flaw. Subsequent reporting linked the release to a rapid increase in attacker interest.
Feb 9, 2026
National cyber agencies issue advisories on BeyondTrust flaw
Government cyber authorities including Canada's Cyber Centre and Belgium's CCB published alerts directing administrators to review BeyondTrust's advisory and apply updates for CVE-2026-1731. These notices amplified the vendor's warning to public- and private-sector defenders.
Feb 6, 2026
Researcher Harsh Jaiswal and Hacktron AI report the vulnerability
Harsh Jaiswal and the Hacktron AI team were identified as the discoverers who privately disclosed CVE-2026-1731 to BeyondTrust. Their analysis also estimated roughly 11,000 internet-exposed instances, including about 8,500 on-prem systems potentially vulnerable if unpatched.
Feb 6, 2026
BeyondTrust discloses CVE-2026-1731 and releases self-hosted patches
BeyondTrust published a security advisory for CVE-2026-1731, a critical pre-authentication OS command injection flaw in RS and PRA, and released patches and fixed versions for self-hosted deployments. The company warned that exploitation requires no authentication or user interaction and urged immediate patching or upgrade.
Feb 2, 2026
BeyondTrust patches SaaS RS and PRA instances for CVE-2026-1731
BeyondTrust deployed fixes for CVE-2026-1731 to its cloud-hosted Remote Support and Privileged Remote Access environments, automatically protecting SaaS customers. Self-hosted customers were not covered by this automatic remediation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like security affairs, scworld and arctic wolf blog
Related Stories
Active Exploitation of BeyondTrust Remote Support RCE (CVE-2026-1731) to Deploy VShell and SparkRAT
**BeyondTrust Remote Support** is being actively exploited via **CVE-2026-1731**, a **critical pre-authentication OS command injection / RCE** flaw (CVSS **9.9**) in the `thin-scc-wrapper` component exposed to the internet via **WebSocket**. Reporting indicates attackers can execute system commands without logging in, enabling rapid progression from initial access to full compromise, including reconnaissance, account creation, webshell deployment, C2 activity, lateral movement, and data theft. Victimology described to date spans multiple sectors—**financial services, healthcare, legal services, higher education, and technology/retail**—across the **U.S., France, Germany, Australia, and Canada**, with telemetry indicating **10,600+** exposed instances potentially at risk. Threat activity observed in exploitation includes deployment of two prominent remote-access backdoors: **VShell** (noted for stealthy, service-like behavior and fileless/memory execution on Linux) and **SparkRAT** (an open-source Go-based RAT previously seen in campaigns linked to *DragonSpark*). Due to confirmed exploitation, **CISA added CVE-2026-1731 to the KEV Catalog** (Feb. 13, 2026), signaling urgent patching/mitigation prioritization. Separate reporting in the same period covered unrelated critical issues in **GNU Inetutils telnetd (CVE-2026-24061)** and an exploitation surge affecting **Ivanti** products (**CVE-2025-0282/CVE-2025-0283**), but those are distinct from the BeyondTrust activity.
1 months ago
Ransomware Actors Exploit BeyondTrust Remote Support Flaw Targeting Healthcare
U.S. health-sector authorities warned hospitals and clinics to urgently patch a **critical vulnerability** in *BeyondTrust Remote Support* and *Privileged Remote Access* that can provide attackers an initial foothold and enable **unauthorized control** of affected appliances inside enterprise networks. The flaw is tracked as **CVE-2026-1731** and was highlighted to the healthcare and public health sector amid increased targeting of those organizations. **CISA** added CVE-2026-1731 to its **Known Exploited Vulnerabilities (KEV)** catalog and set an accelerated remediation deadline for federal agencies, later updating the entry to warn that **ransomware operators are actively exploiting** the issue. *Palo Alto Networks Unit 42* also reported observed in-the-wild exploitation, describing threat actors weaponizing the vulnerability to take control of appliances and expand access within victim environments, increasing risk to clinical networks if unpatched.
1 months ago
Critical RCE Vulnerabilities in Trend Micro Apex One Management Console
**Trend Micro patched two critical remote code execution vulnerabilities in *Apex One* affecting Windows environments**, both caused by **path traversal weaknesses in the Apex One management console**: `CVE-2025-71210` and `CVE-2025-71211`. Trend Micro stated exploitation requires an attacker to have access to the management console, and warned organizations with consoles exposed to the internet to apply mitigations such as source/IP restrictions and to update to the latest builds; the fixes include updates for SaaS deployments and **Critical Patch Build 14136** for affected on-prem installations. Canada’s Centre for Cyber Security issued advisory **AV26-168** urging administrators to apply Trend Micro’s updates for **Apex One (on-premise)**, **Apex One as a Service (SaaS)**, and **Trend Vision One Endpoint / Standard Endpoint Protection (SaaS)**. Neither advisory indicated confirmed exploitation in the wild for these specific CVEs at the time of publication, but the vendor and reporting highlighted that **Apex One vulnerabilities have been actively exploited in prior campaigns**, reinforcing the need for rapid patching and exposure reduction of management interfaces.
1 months ago