BeyondTrust has released emergency updates to address CVE-2026-1731, a critical pre-authentication remote code execution vulnerability affecting Remote Support and Privileged Remote Access products, with nearly 11,000 internet-exposed instances identified.
BeyondTrust has issued critical security updates for its Remote Support (RS) and Privileged Remote Access (PRA) products following the discovery of a severe vulnerability that enables unauthenticated attackers to execute arbitrary commands on affected systems. Tracked as CVE-2026-1731 with a CVSS score of 9.9, this operating system command injection flaw allows complete system compromise without requiring authentication.
The Vulnerability Explained
According to BeyondTrust's advisory released on February 6, 2026: "By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user." Successful exploitation could lead to:
- Full system takeover with site user privileges
- Unauthorized data exfiltration
- Service disruption and system manipulation
- Potential lateral movement within networks
The vulnerability specifically impacts:
- Remote Support: Versions 25.3.1 and prior
- Privileged Remote Access: Versions 24.3.4 and prior
Patch and Upgrade Requirements
BeyondTrust released the following remediations:
- Remote Support: Apply Patch BT26-02-RS and upgrade to version 25.3.2 or later
- Privileged Remote Access: Apply Patch BT26-02-PRA and upgrade to version 25.1.1 or later
Critical implementation notes:
- Self-hosted customers without automatic updates must manually apply patches
- Instances running RS versions older than 21.3 or PRA versions older than 22.1 require full product upgrades before patching
- Organizations should verify internet exposure of these services immediately
Exposure Analysis and Urgency
Security researcher Harsh Jaiswal, co-founder of Hacktron AI, identified the flaw through AI-assisted variant analysis on January 31, 2026. His research revealed approximately 11,000 internet-exposed instances, with about 8,500 representing vulnerable on-premises deployments. "These systems remain at significant risk until patched," Jaiswal emphasized. "The pre-authentication nature makes this particularly dangerous for publicly accessible administration interfaces."
Historical context heightens the urgency: BeyondTrust's privileged access solutions have frequently been targeted by advanced threat actors. While no active exploitation of CVE-2026-1731 has been confirmed, the combination of high severity, low attack complexity, and privileged nature of these systems creates a compelling attack surface.
Recommended Actions
- Immediate Patching: Prioritize updates for all RS/PRA installations using BeyondTrust's security advisory guidance
- Exposure Reduction: Restrict internet access to administration interfaces through VPNs or IP allowlisting
- Compromise Assessment: Review systems for unusual processes, unexpected outbound connections, or unauthorized account activity
- Defense Layering: Implement endpoint detection on systems running privileged access tools
Organizations using these products should treat this vulnerability as critical due to the privileged position these tools hold within IT environments. The patching window is especially crucial given the public disclosure and high visibility of affected systems.
Comments
Please log in or register to join the discussion