BeyondTrust CVE-2026-1731 exploitation and remediation

**CVE-2026-1731** is a **critical pre-authentication OS command injection** in **BeyondTrust Remote Support** and **Privileged Remote Access** that can let an **unauthenticated attacker** execute commands remotely in the site-user context. BeyondTrust patched **Remote Support 25.3.1 and earlier** and **Privileged Remote Access 24.3.4 and earlier**, with fixes in **BT26-02-RS / 25.3.2+** and **BT26-02-PRA / 25.1.1+**. Research published on **2026-02-13** says **watchTowr** observed **first in-the-wild exploitation** across its global sensors, with attackers abusing **get_portal_info** to extract **x-ns-company** before establishing a WebSocket channel. Successful exploitation can lead to **unauthorized access, data exfiltration, and service disruption**.

**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote command execution. The activity targets **exposed portals** and abuses **/get_portal_info** to extract the **X-Ns-Company** value before establishing a WebSocket channel. Hacktron said about **11,000 instances** were exposed online, including roughly **8,500 on-premises deployments**, expanding the pool of systems at risk. Unpatched self-hosted appliances should be treated as high priority because the exploit requires **no authentication or user interaction**.

CISA ordered urgent **KEV** mitigation for **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, forcing affected federal deployments to **apply the patch** or **stop using the product** within **three days**. The directive reflects active exploitation risk and turns the flaw into a mandatory remediation item. BeyondTrust customers running self-hosted systems must still **verify** or **install** the update, while the SaaS service was patched automatically.