CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including CVE-2026-20700, CVE-2025-15556, CVE-2025-40536, and CVE-2024-43468. CVE-2024-43468 was patched by Microsoft in October 2024 but is still being exploited in real-world attacks. CISA ordered U.S. government agencies to secure their systems against CVE-2024-43468 by March 5, 2026. CVE-2026-20700 was acknowledged by Apple to have been exploited in sophisticated attacks against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-15556 exploitation has been attributed to the China-linked state-sponsored threat actor Lotus Blossom, delivering a previously undocumented backdoor called Chrysalis.

Timeline

  1. 13.02.2026 10:34 2 articles · 14h ago

    CISA Adds Four Vulnerabilities to KEV Catalog

    CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including CVE-2026-20700, CVE-2025-15556, CVE-2025-40536, and CVE-2024-43468. CVE-2024-43468 was patched by Microsoft in October 2024 but is still being exploited in real-world attacks. CISA ordered U.S. government agencies to secure their systems against CVE-2024-43468 by March 5, 2026. CVE-2026-20700 was acknowledged by Apple to have been exploited in sophisticated attacks against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-15556 exploitation has been attributed to the China-linked state-sponsored threat actor Lotus Blossom, delivering a previously undocumented backdoor called Chrysalis.

    Show sources
    Open in new tab
  2. 12.02.2026 23:34 2 articles · 1d ago

    Attackers Exploit CVE-2026-1731 in the Wild

    Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild. The exploitation involves abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. Ryan Dewhurst, head of threat intelligence at watchTowr, reported the first in-the-wild exploitation of BeyondTrust across global sensors.

    Show sources
    Open in new tab
  3. 09.02.2026 15:07 1 articles · 4d ago

    BeyondTrust Addresses Historical Security Flaws and Zero-Day Exploits

    In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust's systems using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686). The U.S. Treasury Department's network was hacked in an incident linked to the Silk Typhoon Chinese state-backed hacking group, which also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC). CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19, 2024, and ordered U.S. government agencies to secure their networks within a week.

    Show sources
    Open in new tab
  4. 09.02.2026 10:03 3 articles · 4d ago

    BeyondTrust Patches Critical Pre-Auth RCE Vulnerability in Remote Support and PRA

    BeyondTrust has released updates to address a critical pre-authentication RCE vulnerability (CVE-2026-1731) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw, discovered on January 31, 2026, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates. Approximately 11,000 instances were exposed, with around 8,500 being on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Unauthenticated RCE Flaw in SmarterMail Patched

SmarterTools has addressed a critical unauthenticated remote code execution (RCE) flaw in SmarterMail email software, tracked as CVE-2026-24423 with a CVSS score of 9.3. The vulnerability allows attackers to execute arbitrary OS commands by pointing SmarterMail to a malicious HTTP server. The flaw was discovered by researchers from watchTowr, CODE WHITE GmbH, and VulnCheck and was patched in version Build 9511, released on January 15, 2026. CISA has added CVE-2026-24423 to its KEV catalog, marking it as actively exploited in ransomware campaigns, and has given federal agencies until February 26, 2026, to patch or stop using affected versions. Additionally, another critical flaw (CVE-2026-23760) and a medium-severity vulnerability (CVE-2026-25067) were also addressed in subsequent updates.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

CISA Adds Actively Exploited Digiever NVR Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, tracked as CVE-2023-52163, allows post-authentication remote code execution via command injection. The vulnerability remains unpatched as the device has reached end-of-life (EoL) status. Threat actors are exploiting this flaw to deliver botnets like Mirai and ShadowV2. CISA recommends mitigations or discontinuation of the product by January 12, 2025.

Open in new tab

W3 Total Cache WordPress Plugin Command Injection Vulnerability

A critical unauthenticated command injection vulnerability (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP commands on the server by posting a malicious comment. The flaw affects versions prior to 2.8.13 and is actively being exploited. The developer released a patch on October 20, but hundreds of thousands of websites remain vulnerable. A proof-of-concept exploit is scheduled for public release on November 24.

Open in new tab

React Native CLI Remote Code Execution Vulnerability (CVE-2025-11953)

A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, impacting millions of developers using the React Native framework. The flaw was patched in version 20.0.0. The vulnerability is being actively exploited in the wild, with attacks observed on December 21, 2025, January 4, 2026, and January 21, 2026. The attacks involve delivering base-64 encoded PowerShell payloads hidden in the HTTP POST body of malicious requests. The payloads disable endpoint protections, establish a raw TCP connection to attacker-controlled infrastructure, write data to disk, and execute the downloaded binary. Approximately 3,500 exposed React Native Metro servers are still online, according to scans using the ZoomEye search engine. Despite active exploitation being observed for over a month, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS). The vulnerability affects Windows, Linux, and macOS systems, with varying levels of control over executed commands. The flaw was discovered by researchers at JFrog and disclosed in early November 2025. The vulnerability is dubbed Metro4Shell by VulnCheck. The Windows payload is a Rust-based UPX-packed binary with basic anti-analysis logic, and the same attacker infrastructure hosts corresponding Linux binaries, indicating cross-platform targeting.

Open in new tab