Threat actors are weaponizing CVE-2026-1731, a CVSS 9.9 vulnerability in BeyondTrust Remote Support and Privileged Remote Access products, enabling unauthenticated remote code execution through WebSocket exploitation.
Researchers have observed active exploitation of a critical vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, marking a concerning escalation in the threat landscape.
In-the-Wild Exploitation Begins
Security researchers at watchTowr reported overnight observations of threat actors actively exploiting CVE-2026-1731 across their global sensors. The vulnerability, which carries a maximum CVSS score of 9.9, allows unauthenticated attackers to achieve remote code execution.
"Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel," explained Ryan Dewhurst, head of threat intelligence at watchTowr, in a post on X.
The exploitation technique demonstrates sophisticated attack patterns where adversaries leverage legitimate functionality to establish covert communication channels before delivering malicious payloads.
Vulnerability Details and Impact
BeyondTrust disclosed the vulnerability last week, noting that successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. This could result in unauthorized access, data exfiltration, and service disruption.
The flaw affects:
- Remote Support: Requires Patch BT26-02-RS, version 25.3.2 and later
- Privileged Remote Access: Requires Patch BT26-02-PRA, version 25.1.1 and later
CISA Expands KEV Catalog
In related developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four additional vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation:
CVE-2026-20700 - Apple Ecosystem Flaw
- CVSS Score: 7.8
- Impact: Improper restriction of operations within memory buffer bounds
- Affected: iOS, macOS, tvOS, watchOS, and visionOS
- Risk: Memory write capability could lead to arbitrary code execution
- Apple's Assessment: May have been exploited in extremely sophisticated attacks against specific targeted individuals on versions before iOS 26, potentially for delivering commercial spyware
CVE-2025-15556 - Notepad++ Supply Chain Attack
- CVSS Score: 7.7
- Impact: Download of code without integrity check
- Attribution: China-linked state-sponsored actor Lotus Blossom (aka Billbug, Bronze Elgin, G0030, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip)
- Campaign Details: Active since at least 2009, delivering previously undocumented backdoor called Chrysalis
- Timeline: Compromise of update pipeline spanned June-October 2025, fully plugged December 2, 2025
- Methodology: Trojanized installers rather than source code modification, allowing bypass of source code reviews and integrity checks
- Targeting: Selective diversion of update traffic for strategically valuable targets including developers and administrators
DomainTools Investigations (DTI) characterized this as a "quiet, methodical intrusion" reflecting "continuity in purpose" with "long dwell times and multi-year campaigns."
CVE-2025-40536 - SolarWinds Web Help Desk
- CVSS Score: 8.1
- Impact: Security control bypass
- Risk: Unauthenticated access to restricted functionality
- Context: Microsoft recently reported multi-stage intrusions exploiting internet-exposed SolarWinds WHD instances for initial access and lateral movement
- Uncertainty: Not clear if attacks exploited CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399
CVE-2024-43468 - Microsoft Configuration Manager
- CVSS Score: 9.8
- Impact: SQL injection
- Risk: Unauthenticated command execution on server and/or underlying database
- Status: Patched by Microsoft in October 2024 as part of Patch Tuesday updates
- Current Exploitation: Unclear how this vulnerability is being exploited in real-world attacks
Government Response and Deadlines
Federal Civilian Executive Branch (FCEB) agencies face strict deadlines to address these vulnerabilities:
- CVE-2025-40536: Must be fixed by February 15, 2026
- CVE-2026-20700, CVE-2025-15556, CVE-2024-43468: Must be fixed by March 5, 2026
Broader Threat Landscape
The exploitation of these vulnerabilities occurs against a backdrop of increasingly sophisticated cyber attacks. Recent incidents include:
- Metro4Shell RCE: Exploitation in React Native CLI npm package
- NGINX Hijacking: Malicious configurations enabling large-scale web traffic hijacking
- Docker AI Flaw: Critical Ask Gordon AI flaw allowing code execution via image metadata
- n8n Vulnerability: CVE-2026-25049 enabling system command execution via malicious workflows
- Reynolds Ransomware: Embedding BYOVD driver to disable EDR security tools
Security Implications
The active exploitation of CVE-2026-1731 and other high-severity vulnerabilities demonstrates how quickly threat actors can weaponize newly disclosed flaws. The sophisticated nature of these attacks, including selective targeting and supply chain compromise techniques, indicates advanced persistent threat (APT) groups are increasingly focused on maintaining long-term access to high-value targets.
Organizations using affected BeyondTrust products should prioritize immediate patching, while all entities should review their exposure to the vulnerabilities added to CISA's KEV catalog. The selective targeting observed in the Notepad++ campaign suggests that even organizations not directly targeted may be at risk if their systems are used as stepping stones to reach primary objectives.
The convergence of critical vulnerabilities across multiple platforms and the demonstrated willingness of threat actors to exploit them in the wild underscores the importance of proactive vulnerability management and rapid patch deployment in modern cybersecurity defense strategies.
Comments
Please log in or register to join the discussion