Vulnerability
Advisory/Mitigation
Exploitation Wave
BeyondTrust CVE-2026-1731 exploitation and remediation
Updated 20.02.2026 19:02
Case score 64
Score breakdown
- Total
- 64
- Lead score
- 61
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 1
Top contributors
- Vulnerability Anchors the case with the critical pre-authentication BeyondTrust flaw and vendor remediation details. base
- Exploitation Wave Adds first-in-the-wild exploitation, the observed request sequence, and the exposure estimate. support
- Advisory Mitigation Provides KEV status and the three-day remediation deadline for the same BeyondTrust vulnerability. context
Case score 64
Members 3
Latest activity 20.02.2026 19:02
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 9.9 Critical
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 9.9 Critical
Members 3
First seen 09.02.2026 10:03
Last seen 20.02.2026 19:02
Updated 20.02.2026 19:02
Overview
**CVE-2026-1731** is being exploited in **BeyondTrust Remote Support** and **Privileged Remote Access**, where a pre-authentication OS command injection lets an unauthenticated attacker run commands in the site-user context. The activity affects self-hosted appliances on versions **25.3.1 and earlier** for Remote Support and **24.3.4 and earlier** for Privileged Remote Access, while watchTowr reported first in-the-wild abuse using **/get_portal_info** and **WebSocket** setup.
BeyondTrust patched its SaaS service automatically and published **BT26-02-RS** and **BT26-02-PRA** for fixed on-premises versions, and CISA added the flaw to the **KEV catalog** with a three-day remediation deadline. Available evidence points to a wide exposure surface and active exploitation, but the full compromise scope is not quantified.
Attackers are exploiting **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, a critical pre-authentication OS command injection that lets an unauthenticated remote attacker execute operating system commands in the site-user context.
The flaw affects **Remote Support 25.3.1 and earlier** and **Privileged Remote Access 24.3.4 and earlier**, and successful exploitation can lead to unauthorized access, data exfiltration, and service disruption.
watchTowr reported first in-the-wild exploitation on 2026-02-13 and said attackers are abusing **/get_portal_info** to extract **x-ns-company** before opening a WebSocket channel.
Hacktron estimated about **11,000** internet-exposed instances, including roughly **8,500** on-premises deployments, which leaves a large self-hosted exposure surface.
BeyondTrust said its cloud systems were secured by February 2, 2026, but self-hosted customers still need to apply **BT26-02-RS** or **BT26-02-PRA**, or upgrade to **Remote Support 25.3.2+** and **Privileged Remote Access 25.1.1+**.
CISA added **CVE-2026-1731** to the **KEV catalog** and directed federal agencies to apply the patch or stop using affected deployments within three days.
Available evidence does not quantify compromise scope, but the active exploitation and KEV deadline make exposed appliances high priority for verification and patching.
Internet-facing systems should be checked for signs of compromise and upgraded or removed from service if they cannot be remediated.