Introduction
A critical pre-authentication remote code execution (RCE) vulnerability has been identified and is now being actively exploited by attackers. The flaw affects BeyondTrust Remote Support and Privileged Remote Access appliances.
Vulnerability Details
The vulnerability, tracked as CVE-2026-1731, was assigned a near-maximum CVSS score of 9.9 due to its severity. It affects BeyondTrust Remote Support versions 25.3.1 and earlier, and Privileged Remote Access versions 24.3.4 and earlier.
Disclosure and Response
BeyondTrust disclosed the vulnerability on February 6, warning that unauthenticated attackers could exploit it by sending specially crafted client requests. The company automatically patched all Remote Support and Privileged Remote Access Software as a Service (SaaS) instances on February 2, but on-premise customers must install patches manually.
Exploitation in the Wild
Hacktron discovered the vulnerability and responsibly disclosed it to BeyondTrust on January 31. They found approximately 11,000 exposed BeyondTrust Remote Support instances online, with around 8,500 on-premises deployments.
Attack Details
Ryan Dewhurst from watchTowr reported that attackers are now actively exploiting the vulnerability. The attacks target exposed BeyondTrust portals to retrieve the ‘X-Ns-Company’ identifier, which is then used to create a WebSocket channel to execute commands on vulnerable systems.
Recommendations
- Organizations using self-hosted BeyondTrust Remote Support or Privileged Remote Access appliances should immediately apply available patches or upgrade to the latest versions.