CISA ordered federal civilian agencies to secure their BeyondTrust Remote Support instances within three days after a critical remote code execution vulnerability was found to be actively exploited. BeyondTrust patched SaaS instances but on-premises customers must apply manual fixes amid warnings that thousands of exposed deployments may already be compromised. #BeyondTrust #CVE-2026-1731
Keypoints
- CISA issued an emergency directive requiring federal agencies to secure BeyondTrust Remote Support instances by the specified deadline.
- The flaw, CVE-2026-1731, is an unauthenticated OS command injection that enables remote code execution in Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier.
- BeyondTrust patched all SaaS instances on February 2, 2026, but on-premises customers must install patches manually.
- Researchers reported active exploitation and warned that unpatched devices should be assumed compromised, with thousands of instances exposed online.
- Previously, the Silk Typhoon group exploited BeyondTrust vulnerabilities to breach U.S. government systems, including the Treasury.