BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access is now seeing first in-the-wild exploitation, putting exposed appliances at risk of remote command execution. The activity targets exposed portals and abuses /get_portal_info to extract the X-Ns-Company value before establishing a WebSocket channel. Hacktron said about 11,000 instances were exposed online, including roughly 8,500 on-premises deployments, expanding the pool of systems at risk. Unpatched self-hosted appliances should be treated as high priority because the exploit requires no authentication or user interaction.
Cases
Related Happenings
BeyondTrust Remote Support and Privileged Remote Access critical fixes
Security Patch Release
H score38
First: 07.07.2026 08:16
Last: 07.07.2026 08:16
Sources 1
About this happening:
**BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...
BeyondTrust Remote Support and Privileged Remote Access critical fixes
Security Patch ReleaseAbout this happening: **BeyondTrust** released **RS 25.3.3** and **PRA 25.3.3** to fix **four critical vulnerabilities** in its remote-access appliances, including **pre-authentication access-control b...
Amazon Q Developer MCP trust flaw (CVE-2026-12957)
Vulnerability
H score32
First: 26.06.2026 16:53
Last: 26.06.2026 16:53
Sources 1
About this happening:
**Amazon Q Developer** had a **high-severity** trust-boundary flaw in **MCP server** handling that could let a malicious repository trigger commands on a developer machine and ste...
Amazon Q Developer MCP trust flaw (CVE-2026-12957)
VulnerabilityAbout this happening: **Amazon Q Developer** had a **high-severity** trust-boundary flaw in **MCP server** handling that could let a malicious repository trigger commands on a developer machine and ste...
Dify cross-tenant auth bypass vulnerabilities multiple vulnerabilities path traversal flaw (CVE-2026-41948)
Vulnerability
H score31
First: 22.06.2026 19:13
Last: 22.06.2026 19:13
Sources 1
About this happening:
Researchers disclosed **four Dify vulnerabilities** that exposed **cross-tenant AI chats, documents, and internal API access** on the platform's multi-tenant cloud service. Three...
Dify cross-tenant auth bypass vulnerabilities multiple vulnerabilities path traversal flaw (CVE-2026-41948)
VulnerabilityAbout this happening: Researchers disclosed **four Dify vulnerabilities** that exposed **cross-tenant AI chats, documents, and internal API access** on the platform's multi-tenant cloud service. Three...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Timeline
-
12.02.2026 23:34 3 articles · 4mo ago
Hacktron discloses CVE-2026-1731 in BeyondTrust appliances
Technical Analysis UpdateHacktron discovered CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access appliances and responsibly disclosed it to BeyondTrust on January 31, with roughly 11,000 Remote Support instances exposed online and about 8,500 on-premises deployments.
Show sources
- Critical BeyondTrust RCE flaw now exploited in attacks, patch now — www.bleepingcomputer.com — 12.02.2026 23:34
- CISA gives feds 3 days to patch actively exploited BeyondTrust flaw — www.bleepingcomputer.com — 16.02.2026 14:33
- CISA: BeyondTrust RCE flaw now exploited in ransomware attacks — www.bleepingcomputer.com — 20.02.2026 19:02
-
12.02.2026 23:34 1 articles · 4mo ago
BeyondTrust patches SaaS instances for CVE-2026-1731
Mitigation Patch UpdateBeyondTrust automatically patched all Remote Support and Privileged Remote Access SaaS instances on February 2, 2026, while self-hosted customers of the affected appliances still had to install patches manually.
Show sources
- Critical BeyondTrust RCE flaw now exploited in attacks, patch now — www.bleepingcomputer.com — 12.02.2026 23:34
-
12.02.2026 23:34 1 articles · 4mo ago
BeyondTrust publicly warns on CVE-2026-1731
Initial DisclosureBeyondTrust disclosed CVE-2026-1731 on February 6, warning that unauthenticated attackers could trigger a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and older Privileged Remote Access versions by sending specially crafted client requests.
Show sources
- Critical BeyondTrust RCE flaw now exploited in attacks, patch now — www.bleepingcomputer.com — 12.02.2026 23:34
-
12.02.2026 23:34 2 articles · 4mo ago
watchTowr reports first exploitation of exposed BeyondTrust portals
Exploitation ObservedwatchTowr reported first in-the-wild exploitation of exposed BeyondTrust portals on February 12, 2026, saying attackers were abusing /get_portal_info to extract the X-Ns-Company value before establishing a WebSocket channel and execute commands on vulnerable systems.
Show sources
- Critical BeyondTrust RCE flaw now exploited in attacks, patch now — www.bleepingcomputer.com — 12.02.2026 23:34
- Critical BeyondTrust RCE flaw now exploited in attacks, patch now — www.bleepingcomputer.com — 12.02.2026 23:34