CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

First reported
Last updated
2 unique sources, 9 articles

Summary

Hide ▲

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Timeline

  1. 13.02.2026 10:34 5 articles · 8d ago

    CISA Adds Four Vulnerabilities to KEV Catalog

    CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, and CVE-2008-0015. CVE-2026-2441 is a use-after-free vulnerability in Google Chrome with a CVSS score of 8.8. CVE-2024-7694 is an arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier with a CVSS score of 7.2. CVE-2020-7796 is a server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) with a CVSS score of 9.8. CVE-2008-0015 is a stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control with a CVSS score of 8.8. Google acknowledged that an exploit for CVE-2026-2441 exists in the wild. A report published by threat intelligence firm GreyNoise in March 2025 revealed that a cluster of about 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2020-7796, to target susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan. The exploit for CVE-2008-0015 may connect to a remote server and download other malware, including the Dogkild worm. Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 10, 2026, for optimal protection. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns.

    Show sources
    Open in new tab
  2. 12.02.2026 23:34 3 articles · 8d ago

    Attackers Exploit CVE-2026-1731 in the Wild

    Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild. The exploitation involves abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. Ryan Dewhurst, head of threat intelligence at watchTowr, reported the first in-the-wild exploitation of BeyondTrust across global sensors. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns.

    Show sources
    Open in new tab
  3. 09.02.2026 15:07 1 articles · 12d ago

    BeyondTrust Addresses Historical Security Flaws and Zero-Day Exploits

    In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust's systems using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686). The U.S. Treasury Department's network was hacked in an incident linked to the Silk Typhoon Chinese state-backed hacking group, which also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC). CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19, 2024, and ordered U.S. government agencies to secure their networks within a week.

    Show sources
    Open in new tab
  4. 09.02.2026 10:03 5 articles · 12d ago

    BeyondTrust Patches Critical Pre-Auth RCE Vulnerability in Remote Support and PRA

    BeyondTrust has released updates to address a critical pre-authentication RCE vulnerability (CVE-2026-1731) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw, discovered on January 31, 2026, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates. Approximately 11,000 instances were exposed, with around 8,500 being on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Unauthenticated RCE Flaw in SmarterMail Patched

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

Open in new tab

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with four new vulnerabilities that are being actively exploited in the wild. The vulnerabilities affect Synacor Zimbra Collaboration Suite, Versa Concerto SD-WAN, Vite Vitejs, and eslint-config-prettier. Federal agencies are required to apply patches by February 12, 2026. The vulnerabilities include a PHP remote file inclusion flaw, an authentication bypass, an improper access control issue, and a supply chain attack involving malicious code execution. Exploitation of one of the vulnerabilities, CVE-2025-68645, has been ongoing since January 14, 2026. CVE-2025-31125 affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. CVE-2025-34026 is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs. Affected products for CVE-2025-34026 are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted. Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025. Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) for CVE-2025-54313 would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens. CVE-2025-68645 is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1 caused by improper handling of user-supplied parameters in the RestFilter servlet.

Open in new tab

Chainlit Framework Vulnerabilities Expose AI Application Infrastructure

Two high-severity vulnerabilities in the Chainlit framework, tracked as CVE-2026-22218 and CVE-2026-22219, allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF), potentially exposing sensitive data and cloud resources. These vulnerabilities, collectively dubbed ChainLeak by Zafran Security, were responsibly disclosed on November 23, 2025, and patched on December 24, 2025, with the release of Chainlit version 2.9.4. Chainlit, widely used for building conversational AI applications, has seen significant adoption with over 7.3 million downloads to date, including 220,000 in the past week alone. The vulnerabilities highlight the risks posed by traditional web flaws in AI application environments, particularly in enterprise deployments and academic institutions.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

CISA Adds Actively Exploited Digiever NVR Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, tracked as CVE-2023-52163, allows post-authentication remote code execution via command injection. The vulnerability remains unpatched as the device has reached end-of-life (EoL) status. Threat actors are exploiting this flaw to deliver botnets like Mirai and ShadowV2. CISA recommends mitigations or discontinuation of the product by January 12, 2025.

Open in new tab