CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability.

Timeline

  1. 09.02.2026 15:07 1 articles · 9h ago

    BeyondTrust Addresses Historical Security Flaws and Zero-Day Exploits

    In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust's systems using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686). The U.S. Treasury Department's network was hacked in an incident linked to the Silk Typhoon Chinese state-backed hacking group, which also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC). CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19, 2024, and ordered U.S. government agencies to secure their networks within a week.

    Show sources
    Open in new tab
  2. 09.02.2026 10:03 2 articles · 14h ago

    BeyondTrust Patches Critical Pre-Auth RCE Vulnerability in Remote Support and PRA

    BeyondTrust has released updates to address a critical pre-authentication RCE vulnerability (CVE-2026-1731) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw, discovered on January 31, 2026, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates. Approximately 11,000 instances were exposed, with around 8,500 being on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

CISA Adds Actively Exploited Digiever NVR Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, tracked as CVE-2023-52163, allows post-authentication remote code execution via command injection. The vulnerability remains unpatched as the device has reached end-of-life (EoL) status. Threat actors are exploiting this flaw to deliver botnets like Mirai and ShadowV2. CISA recommends mitigations or discontinuation of the product by January 12, 2025.

Open in new tab

Unpatched Ivanti Endpoint Manager Vulnerabilities Disclosed by ZDI

Thirteen unpatched vulnerabilities in Ivanti Endpoint Manager have been disclosed by Trend Micro’s Zero Day Initiative (ZDI). One flaw allows local privilege escalation, while the remaining 12 enable remote code execution (RCE). The vulnerabilities were reported to Ivanti in November 2024 and June 2025, respectively. Ivanti has not yet released patches for these high-severity defects, which have CVSS scores ranging from 7.2 to 8.8. The vulnerabilities affect various components and methods within Ivanti Endpoint Manager, including the AgentPortal service, Report_RunPatch, MP_Report_Run2, DBDR, and others. Exploitation of these flaws requires authentication for most, but one RCE vulnerability can be exploited with admin credentials or by convincing a user to open a malicious file. ZDI advises restricting interaction with the product as the primary mitigation strategy. Ivanti has acknowledged the issues but has not provided a public statement on the delay in patching.

Open in new tab

Multiple Critical Vulnerabilities in SolarWinds Web Help Desk

SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has previously released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the KEV catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files. Microsoft has revealed that it observed a multi-stage intrusion that involved the threat actors exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. The attackers used legitimate components associated with Zoho ManageEngine to enable persistent remote control over the infected system. They enumerated sensitive domain users and groups, established persistence via reverse SSH and RDP access, and conducted a DCSync attack to request password hashes and other sensitive information from an Active Directory (AD) database. Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.

Open in new tab

Critical deserialization flaw in DELMIA Apriso MOM actively exploited

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is actively exploited, with a CVSS score of 9.0. The flaw affects versions from Release 2020 through Release 2025 and allows for remote code execution (RCE). In addition to CVE-2025-5086, two more vulnerabilities (CVE-2025-6205 and CVE-2025-6204) in DELMIA Apriso have been identified and are actively exploited. CVE-2025-6205 is a critical-severity missing authorization flaw, and CVE-2025-6204 is a high-severity code injection vulnerability. Both were patched by Dassault Systèmes in early August 2025. The vulnerabilities can be chained together to create accounts with elevated privileges and place executable files into a web-served directory. The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning and a file upload API used by portal components but that is accessible only post-authentication. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by November 18, 2025, to secure their networks. Additionally, a new vulnerability (CVE-2025-24893) in XWiki has been identified and is actively exploited. This flaw allows for arbitrary remote code execution through a request to the /bin/get/Main/SolrSearch endpoint and is being exploited in a two-stage attack chain that delivers a cryptocurrency miner. The vulnerability was reported by John Kwak of Trend Micro in May 2024 and was addressed in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in June 2024. Technical details on the bug emerged roughly half a year later, and an NVD advisory was published in February 2025. Numerous proof-of-concept (PoC) exploits targeting the vulnerability have been available since early 2025. CrowdSec observed the vulnerability being abused for reconnaissance earlier this year but noted a decline in activity. VulnCheck identified in-the-wild attacks exploiting CVE-2025-24893 to deploy a cryptocurrency miner. The attacks proceed in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader, and the second pass executes it. The observed traffic originates from an IP address geolocated to Vietnam that has been associated with other malicious activity. The RondoDox botnet has been observed targeting unpatched XWiki instances to exploit CVE-2025-24893. VulnCheck observed a spike in exploitation attempts, with peaks on November 7 and November 11, 2025. RondoDox is adding new exploitation vectors to rope susceptible devices into a botnet for conducting DDoS attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025. Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, establish a reverse shell, and conduct general probing activity using a Nuclei template for CVE-2025-24893.

Open in new tab