Attackers are actively exploiting CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access, enabling pre-authentication remote code execution via an OS command injection. CISA added the flaw to its KEV on Feb 13 with a three-day federal patch deadline; SaaS instances were auto-patched while self-hosted users must apply updates (RS 25.3.2, PRA 25.1.1+). #CVE-2026-1731 #BeyondTrust
Keypoints
- CVE-2026-1731 is a pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (
- Proof-of-concept exploits and in-the-wild attacks appeared quickly, with anomalous activity detected as early as January 31.
- CISA added the issue to the Known Exploited Vulnerabilities catalog on Feb 13 and gave federal agencies three days to remediate or cease use.
- Cloud (SaaS) customers were automatically patched on Feb 2; self-hosted customers must enable auto-updates or manually install the fix via the appliance interface.
- Recommended remediation is to upgrade Remote Support to 25.3.2 and Privileged Remote Access to 25.1.1 or newer, and update older major versions before applying patches.