BeyondTrust Remote Support and Privileged Remote Access pre-auth OS command injection (CVE-2026-1731)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-1731 is a critical pre-authentication OS command injection in BeyondTrust Remote Support and Privileged Remote Access that can let an unauthenticated attacker execute commands remotely in the site-user context. BeyondTrust patched Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier, with fixes in BT26-02-RS / 25.3.2+ and BT26-02-PRA / 25.1.1+. Research published on 2026-02-13 says watchTowr observed first in-the-wild exploitation across its global sensors, with attackers abusing get_portal_info to extract x-ns-company before establishing a WebSocket channel. Successful exploitation can lead to unauthorized access, data exfiltration, and service disruption.
Cases
Related Happenings
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
**CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Verizon 2026 DBIR shows vulnerability exploitation as the top breach access trend in 2025
Trend
H score39
First: 20.05.2026 03:04
Last: 20.05.2026 03:04
Sources 1
About this happening:
**Vulnerability exploitation** became the leading breach access vector in **2025**, increasing compromise risk across **31,000 incidents** and **22,000+ confirmed breaches**. **Un...
Verizon 2026 DBIR shows vulnerability exploitation as the top breach access trend in 2025
TrendAbout this happening: **Vulnerability exploitation** became the leading breach access vector in **2025**, increasing compromise risk across **31,000 incidents** and **22,000+ confirmed breaches**. **Un...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/Service
H score25
First: 12.05.2026 09:55
Last: 12.05.2026 09:55
Sources 1
About this happening:
OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
OpenAI launches Daybreak cybersecurity initiative for AI-powered vulnerability detection and patch validation
Security Tool/ServiceAbout this happening: OpenAI's **Daybreak** launch adds an **AI-powered cybersecurity service** for **vulnerability detection** and **patch validation**, helping organizations fix flaws before attacker...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Federal civilian executive branch agency hit by network compromise
Incident
H score21
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Timeline
-
09.02.2026 15:07 1 articles · 5mo ago
BeyondTrust secures RS/PRA cloud systems
Mitigation Patch UpdateBeyondTrust secured all RS/PRA cloud systems by February 2, 2026 and directed on-premises customers to manually upgrade to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later if automatic updates were not enabled.
Show sources
- BeyondTrust warns of critical RCE flaw in remote support software — www.bleepingcomputer.com — 09.02.2026 15:07
-
09.02.2026 10:03 4 articles · 5mo ago
Harsh Jaiswal discovers CVE-2026-1731
Technical Analysis UpdateSecurity researcher and Hacktron AI co-founder Harsh Jaiswal discovered CVE-2026-1731 in BeyondTrust Remote Support and older Privileged Remote Access through AI-enabled variant analysis, identifying a critical pre-authentication operating system command injection that could let an unauthenticated remote attacker execute operating system commands in the site-user context; he also estimated about 11,000 internet-exposed instances, including about 8,500 on-prem deployments, could remain vulnerable without patches.
Show sources
- BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA — thehackernews.com — 09.02.2026 10:03
- Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability — thehackernews.com — 13.02.2026 10:34
- CISA gives feds 3 days to patch actively exploited BeyondTrust flaw — www.bleepingcomputer.com — 16.02.2026 14:33
- CISA: BeyondTrust RCE flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 20.02.2026 19:02
-
09.02.2026 10:03 2 articles · 5mo ago
BeyondTrust releases fixes for CVE-2026-1731
Mitigation Patch UpdateBeyondTrust released advisory updates and patches for CVE-2026-1731 affecting Remote Support 25.3.1 and prior and Privileged Remote Access 24.3.4 and prior, with Remote Support fixed in BT26-02-RS, 25.3.2 and later, and Privileged Remote Access fixed in BT26-02-PRA, 25.1.1 and later; self-hosted customers were urged to manually apply the patch or upgrade older installations before remediation.
Show sources
- BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA — thehackernews.com — 09.02.2026 10:03
- BeyondTrust warns of critical RCE flaw in remote support software — www.bleepingcomputer.com — 09.02.2026 15:07
-
09.02.2026 10:03 2 articles · 5mo ago
BeyondTrust releases fixes for CVE-2026-1731
Mitigation Patch UpdateBeyondTrust released advisory updates and patches for CVE-2026-1731 affecting Remote Support 25.3.1 and prior and Privileged Remote Access 24.3.4 and prior, with Remote Support fixed in BT26-02-RS, 25.3.2 and later, and Privileged Remote Access fixed in BT26-02-PRA, 25.1.1 and later; self-hosted customers were urged to manually apply the patch or upgrade older installations before remediation.
Show sources
- BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA — thehackernews.com — 09.02.2026 10:03
- BeyondTrust warns of critical RCE flaw in remote support software — www.bleepingcomputer.com — 09.02.2026 15:07