Find notable cyber news and cases, enriched with sources, timelines, and signals.

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 76
1 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access is now seeing first in-the-wild exploitation, putting exposed appliances at risk of remote command execution. The activity targets exposed portals and abuses /get_portal_info to extract the X-Ns-Company value before establishing a WebSocket channel. Hacktron said about 11,000 instances were exposed online, including roughly 8,500 on-premises deployments, expanding the pool of systems at risk. Unpatched self-hosted appliances should be treated as high priority because the exploit requires no authentication or user interaction.

Cases

Related Happenings

BeyondTrust Remote Support and Privileged Remote Access critical fixes

Security Patch Release
H score38 First: 07.07.2026 08:16 Last: 07.07.2026 08:16 Sources 1

About this happening: **BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...

Amazon Q Developer MCP trust flaw (CVE-2026-12957)

Vulnerability
H score32 First: 26.06.2026 16:53 Last: 26.06.2026 16:53 Sources 1

About this happening: **Amazon Q Developer** had a **high-severity** trust-boundary flaw in **MCP server** handling that could let a malicious repository trigger commands on a developer machine and ste...

Dify cross-tenant auth bypass vulnerabilities multiple vulnerabilities path traversal flaw (CVE-2026-41948)

Vulnerability
H score31 First: 22.06.2026 19:13 Last: 22.06.2026 19:13 Sources 1

About this happening: Researchers disclosed **four Dify vulnerabilities** that exposed **cross-tenant AI chats, documents, and internal API access** on the platform's multi-tenant cloud service. Three...

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

Timeline

  1. 12.02.2026 23:34 3 articles · 4mo ago

    Hacktron discloses CVE-2026-1731 in BeyondTrust appliances

    Technical Analysis Update

    Hacktron discovered CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access appliances and responsibly disclosed it to BeyondTrust on January 31, with roughly 11,000 Remote Support instances exposed online and about 8,500 on-premises deployments.

    Show sources
  2. 12.02.2026 23:34 1 articles · 4mo ago

    BeyondTrust patches SaaS instances for CVE-2026-1731

    Mitigation Patch Update

    BeyondTrust automatically patched all Remote Support and Privileged Remote Access SaaS instances on February 2, 2026, while self-hosted customers of the affected appliances still had to install patches manually.

    Show sources
  3. 12.02.2026 23:34 1 articles · 4mo ago

    BeyondTrust publicly warns on CVE-2026-1731

    Initial Disclosure

    BeyondTrust disclosed CVE-2026-1731 on February 6, warning that unauthenticated attackers could trigger a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and older Privileged Remote Access versions by sending specially crafted client requests.

    Show sources
  4. 12.02.2026 23:34 2 articles · 4mo ago

    watchTowr reports first exploitation of exposed BeyondTrust portals

    Exploitation Observed

    watchTowr reported first in-the-wild exploitation of exposed BeyondTrust portals on February 12, 2026, saying attackers were abusing /get_portal_info to extract the X-Ns-Company value before establishing a WebSocket channel and execute commands on vulnerable systems.

    Show sources