BeyondTrust Remote Support and Privileged Remote Access pre-auth OS command injection (CVE-2026-1731)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-1731 is a critical pre-authentication OS command injection in BeyondTrust Remote Support and Privileged Remote Access that can let an unauthenticated attacker execute commands remotely in the site-user context. BeyondTrust patched Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier, with fixes in BT26-02-RS / 25.3.2+ and BT26-02-PRA / 25.1.1+. Research published on 2026-02-13 says watchTowr observed first in-the-wild exploitation across its global sensors, with attackers abusing get_portal_info to extract x-ns-company before establishing a WebSocket channel. Successful exploitation can lead to unauthorized access, data exfiltration, and service disruption.
Cases
Related Happenings
Verizon 2026 DBIR shows vulnerability exploitation as the top breach access trend in 2025
Target Trend
First: 20.05.2026 03:04
Last: 20.05.2026 03:04
Sources 1
About this happening:
**Vulnerability exploitation** became the leading breach access vector in **2025**, increasing compromise risk across **31,000 incidents** and **22,000+ confirmed breaches**. **Un...
Verizon 2026 DBIR shows vulnerability exploitation as the top breach access trend in 2025
Target TrendAbout this happening: **Vulnerability exploitation** became the leading breach access vector in **2025**, increasing compromise risk across **31,000 incidents** and **22,000+ confirmed breaches**. **Un...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/Service
First: 12.05.2026 09:55
Last: 12.05.2026 09:55
Sources 1
About this happening:
OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/ServiceAbout this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Grafana prompt injection exfiltration security flaw
Vulnerability
First: 07.04.2026 17:00
Last: 07.04.2026 17:00
Sources 1
About this happening:
**GrafanaGhost** is a critical **Grafana** vulnerability that attackers are using to silently exfiltrate sensitive enterprise data from monitoring environments. The flaw bypasses...
Grafana prompt injection exfiltration security flaw
VulnerabilityAbout this happening: **GrafanaGhost** is a critical **Grafana** vulnerability that attackers are using to silently exfiltrate sensitive enterprise data from monitoring environments. The flaw bypasses...
Timeline
-
09.02.2026 15:07 1 articles · 3mo ago
BeyondTrust secures RS/PRA cloud systems
Mitigation Patch UpdateBeyondTrust secured all RS/PRA cloud systems by February 2, 2026 and directed on-premises customers to manually upgrade to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later if automatic updates were not enabled.
Show sources
- BeyondTrust warns of critical RCE flaw in remote support software — www.bleepingcomputer.com — 09.02.2026 15:07
-
09.02.2026 10:03 4 articles · 3mo ago
Harsh Jaiswal discovers CVE-2026-1731
Technical Analysis UpdateSecurity researcher and Hacktron AI co-founder Harsh Jaiswal discovered CVE-2026-1731 in BeyondTrust Remote Support and older Privileged Remote Access through AI-enabled variant analysis, identifying a critical pre-authentication operating system command injection that could let an unauthenticated remote attacker execute operating system commands in the site-user context; he also estimated about 11,000 internet-exposed instances, including about 8,500 on-prem deployments, could remain vulnerable without patches.
Show sources
- BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA — thehackernews.com — 09.02.2026 10:03
- Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability — thehackernews.com — 13.02.2026 10:34
- CISA gives feds 3 days to patch actively exploited BeyondTrust flaw — www.bleepingcomputer.com — 16.02.2026 14:33
- CISA: BeyondTrust RCE flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 20.02.2026 19:02
-
09.02.2026 10:03 2 articles · 3mo ago
BeyondTrust releases fixes for CVE-2026-1731
Mitigation Patch UpdateBeyondTrust released advisory updates and patches for CVE-2026-1731 affecting Remote Support 25.3.1 and prior and Privileged Remote Access 24.3.4 and prior, with Remote Support fixed in BT26-02-RS, 25.3.2 and later, and Privileged Remote Access fixed in BT26-02-PRA, 25.1.1 and later; self-hosted customers were urged to manually apply the patch or upgrade older installations before remediation.
Show sources
- BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA — thehackernews.com — 09.02.2026 10:03
- BeyondTrust warns of critical RCE flaw in remote support software — www.bleepingcomputer.com — 09.02.2026 15:07
-
09.02.2026 10:03 2 articles · 3mo ago
BeyondTrust releases fixes for CVE-2026-1731
Mitigation Patch UpdateBeyondTrust released advisory updates and patches for CVE-2026-1731 affecting Remote Support 25.3.1 and prior and Privileged Remote Access 24.3.4 and prior, with Remote Support fixed in BT26-02-RS, 25.3.2 and later, and Privileged Remote Access fixed in BT26-02-PRA, 25.1.1 and later; self-hosted customers were urged to manually apply the patch or upgrade older installations before remediation.
Show sources
- BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA — thehackernews.com — 09.02.2026 10:03
- BeyondTrust warns of critical RCE flaw in remote support software — www.bleepingcomputer.com — 09.02.2026 15:07