A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access appliances is now being actively exploited in attacks after a proof-of-concept was published online.
A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access appliances is now being exploited in attacks after a proof-of-concept was published online.
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
BeyondTrust disclosed the vulnerability on February 6, warning that unauthenticated attackers could exploit it by sending specially crafted client requests.
"BeyondTrust Remote Support and older versions of Privileged Remote Access contain a critical pre-authentication remote code execution vulnerability that may be triggered through specially crafted client requests," explained BeyondTrust. "Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
BeyondTrust automatically patched all Remote Support and Privileged Remote Access SaaS instances on February 2, 2026, but on-premise customers must install patches manually.
CVE-2026-1731 is now exploited in the wild
Hacktron discovered the vulnerability and responsibly disclosed it to BeyondTrust on January 31. Hacktron says approximately 11,000 BeyondTrust Remote Support instances were exposed online, with around 8,500 on-premises deployments.
Ryan Dewhurst, head of threat intelligence at watchTowr, now reports that attackers have begun actively exploiting the vulnerability, warning that if devices are not patched, they should be assumed to be compromised.
"Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors," Dewhurst posted on X. "Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel."
This exploitation comes a day after a proof-of-concept exploit was published on GitHub targeting the same /get_portal_info endpoint. The attacks target exposed BeyondTrust portals to retrieve the 'X-Ns-Company' identifier, which is then used to create a websocket to the targeted device. This allows the attackers to execute commands on vulnerable systems.
Organizations using self-hosted BeyondTrust Remote Support or Privileged Remote Access appliances should immediately apply available patches or upgrade to the latest versions.
BleepingComputer contacted BeyondTrust and Dewhurst to ask if they had any details on post-exploitation activity and will update this story if we receive a response.
Technical Analysis of the Vulnerability
The CVE-2026-1731 vulnerability is particularly dangerous because it requires no authentication and allows remote code execution before any login process occurs. This means attackers can compromise systems without needing valid credentials or any form of user interaction.
The vulnerability exists in the /get_portal_info endpoint, which is designed to provide information about the BeyondTrust portal configuration. However, attackers have discovered that this endpoint can be manipulated to extract sensitive information and establish unauthorized connections.
The attack chain works as follows:
- Attackers send specially crafted requests to the /get_portal_info endpoint
- The vulnerable endpoint returns the X-Ns-Company identifier
- Attackers use this identifier to establish a WebSocket connection
- Through the WebSocket channel, attackers can execute arbitrary commands on the system
The fact that this vulnerability has a CVSS score of 9.9 (just 0.1 point away from the maximum) underscores its severity. The high score reflects the combination of critical factors: no authentication required, remote code execution capability, and the potential for complete system compromise.
Immediate Actions Required
For organizations using BeyondTrust Remote Support or Privileged Remote Access:
Immediate Patching: If you're running an affected version, apply the patches immediately. BeyondTrust has released updates that address this vulnerability.
Network Segmentation: Consider isolating affected systems from the internet until patches can be applied, especially if you cannot immediately update on-premise installations.
Monitoring: Watch for unusual activity on your BeyondTrust appliances, particularly around the /get_portal_info endpoint and WebSocket connections.
Assumption of Compromise: Given that active exploitation is occurring, security teams should operate under the assumption that unpatched systems may already be compromised.
Broader Implications for Remote Access Security
This vulnerability highlights the ongoing challenges in securing remote access solutions. As organizations increasingly rely on remote support and privileged access management tools, these systems become attractive targets for attackers.
The BeyondTrust vulnerability is part of a concerning trend of critical flaws being discovered in widely-used remote access and privileged access management solutions. Just recently, similar critical vulnerabilities were found in:
- VMware products (CVE-2025-2145)
- Trend Micro security products
- WatchGuard Firebox firewalls
These incidents underscore the importance of:
- Regular security assessments of remote access infrastructure
- Prompt patch management
- Network segmentation for critical systems
- Zero-trust security models that don't rely solely on perimeter defenses
Expert Recommendations
Security experts recommend the following additional measures:
Defense in Depth: Don't rely on a single security control. Implement multiple layers of protection including network segmentation, application whitelisting, and intrusion detection systems.
Vulnerability Management: Establish a robust vulnerability management program that includes regular scanning, prioritization based on risk, and rapid patch deployment for critical vulnerabilities.
Incident Response Preparation: Ensure your incident response team is prepared to handle potential compromises of remote access systems, including forensic analysis and containment procedures.
Security by Design: When implementing new remote access solutions, consider security from the outset rather than as an afterthought. This includes evaluating the vendor's security practices and the solution's architecture for potential vulnerabilities.
As the BeyondTrust vulnerability demonstrates, the window between vulnerability disclosure and active exploitation can be extremely short. Organizations must be prepared to respond rapidly to critical security advisories to protect their systems and data.
Comments
Please log in or register to join the discussion