CISA confirms active ransomware exploitation of CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access, urging immediate patching.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active ransomware campaigns exploiting CVE-2026-1731, a critical remote code execution vulnerability in BeyondTrust's Remote Support and Privileged Remote Access solutions. This pre-authentication flaw allows attackers to execute arbitrary commands on unpatched systems through specially crafted client requests.
Vulnerability Details and Impact
CVE-2026-1731 stems from an operating system command injection weakness in:
- BeyondTrust Remote Support versions 25.3.1 and earlier
- Privileged Remote Access versions 24.3.4 and earlier
According to BeyondTrust's security advisory, exploitation requires no authentication, enabling threat actors to gain full system control. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on February 13 with the critical designation "Known To Be Used in Ransomware Campaigns."
Exploitation Timeline
- January 31, 2026: Initial in-the-wild exploitation detected (confirmed by BeyondTrust)
- February 6, 2026: BeyondTrust discloses vulnerability
- February 2, 2026: Cloud (SaaS) instances automatically patched
- February 13, 2026: CISA issues emergency directive giving federal agencies 3 days to patch
- Current: Active ransomware exploitation observed with publicly available proof-of-concept exploits
Patching Instructions
Cloud (SaaS) Customers
No action required. Patches were automatically applied to all SaaS instances on February 2.
Self-Hosted Customers
- Remote Support installations: Upgrade to version 25.3.2
- Privileged Remote Access installations: Upgrade to version 25.1.1 or newer
- Legacy versions: Systems running RS v21.3 or PRA v22.1 must first upgrade to a supported version before patching
Critical Next Steps
- Verify patch status via the
/appliancemanagement interface - Enable automatic updates for future protection
- Audit logs for unusual activity dating back to January 31
- Refer to CISA's KEV catalog entry for detection guidance
Security researcher Harsh Jaiswal and the Hacktron AI team first documented the anomalous activity that led to BeyondTrust's investigation. Organizations should treat this vulnerability as critical infrastructure risk given CISA's emergency directive and confirmed ransomware linkage.
Comments
Please log in or register to join the discussion