Critical Security Flaw Requires Immediate Action
BeyondTrust has released urgent security updates to address a critical vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw, if exploited, could allow unauthenticated attackers to execute arbitrary operating system commands remotely.
Vulnerability Details
The security flaw, designated as CVE-2026-1731, has been classified as an operating system command injection vulnerability with a CVSS severity score of 9.9 out of 10. According to BeyondTrust's security advisory, the vulnerability allows attackers to send specially crafted requests that can execute commands in the context of the site user without any authentication.
Attack Impact and Exploitation
Successful exploitation of this vulnerability could result in:
- Unauthorized Access: Attackers can gain entry to systems without credentials
- Data Exfiltration: Sensitive information can be stolen from compromised systems
- Service Disruption: Critical business operations may be interrupted
- Lateral Movement: Attackers can potentially pivot to other systems within the network
The vulnerability was discovered on January 31, 2026, through AI-enabled variant analysis by security researcher Harsh Jaiswal, co-founder of Hacktron AI. Initial scans identified approximately 11,000 instances exposed to the internet, with around 8,500 being on-premises deployments that remain vulnerable until patches are applied.
Affected Versions
The vulnerability impacts the following product versions:
- Remote Support: Versions 25.3.1 and earlier
- Privileged Remote Access: Versions 24.3.4 and earlier
Patched Versions and Remediation
BeyondTrust has released patches that address this critical flaw:
- Remote Support: Patch BT26-02-RS, version 25.3.2 and later
- Privileged Remote Access: Patch BT26-02-PRA, version 25.1.1 and later
Organizations running self-hosted instances of Remote Support or Privileged Remote Access must manually apply the patch if their systems are not configured for automatic updates. Users running Remote Support versions older than 21.3 or Privileged Remote Access versions older than 22.1 must first upgrade to a newer version before applying the security patch.
For Privileged Remote Access users, upgrading directly to version 25.1.1 or newer will remediate the vulnerability without requiring a separate patch installation.
Historical Context and Urgency
This is not the first time BeyondTrust products have faced active exploitation. Previous security vulnerabilities in BeyondTrust Privileged Remote Access and Remote Support have been actively exploited in the wild, making it essential for organizations to prioritize this update.
The researchers have withheld detailed technical information about the exploit to allow organizations sufficient time to apply patches before threat actors can develop working exploits.
Recommendations
Security teams should take immediate action:
- Identify Exposure: Audit all BeyondTrust deployments to determine which systems are affected
- Apply Patches: Install the latest security updates as soon as possible
- Enable Auto-Updates: Configure systems to receive automatic security updates
- Monitor Access Logs: Review system logs for any signs of suspicious activity or unauthorized access attempts
- Review Network Security: Ensure that Remote Support and PRA instances are not unnecessarily exposed to the internet
TL;DR
- BeyondTrust patched CVE-2026-1731, a critical pre-auth RCE vulnerability (CVSS 9.9) in Remote Support and Privileged Remote Access products
- Approximately 11,000 internet-exposed instances identified, with 8,500 on-prem deployments at risk
- Attackers can execute OS commands without authentication, leading to data theft and system compromise
- Update to Remote Support 25.3.2+ or PRA 25.1.1+ immediately
- Previous BeyondTrust vulnerabilities have been actively exploited, making rapid patching critical
Source: The Hacker News