BeyondTrust Patches Critical Pre-Auth RCE in Remote Support and PRA (CVE-2026-1731)

Critical Vulnerability Requires Immediate Patching

BeyondTrust has released urgent security updates to address a critical pre-authentication remote code execution vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw, tracked as CVE-2026-1731, carries a CVSS score of 9.9 and could allow unauthenticated attackers to execute arbitrary operating system commands.

Vulnerability Details

The vulnerability exists in the form of an operating system command injection flaw that affects:

- Remote Support: versions 25.3.1 and prior
- Privileged Remote Access (PRA): versions 24.3.4 and prior

An unauthenticated remote attacker can send specially crafted requests to execute commands in the context of the site user, potentially leading to unauthorized system access, data exfiltration, and service disruption.

Patched Versions

Security patches are now available:

- Remote Support: Patch BT26-02-RS, versions 25.3.2 and later
- Privileged Remote Access: Patch BT26-02-PRA, versions 25.1.1 and later

BeyondTrust is urging self-hosted customers to immediately apply patches if automatic updates are not enabled. Organizations running older versions (Remote Support < 21.3 or PRA < 22.1) must upgrade to apply the patch.

Discovery and Exposure

According to security researchers at Hacktron AI, the vulnerability was discovered on January 31, 2026, through AI-enabled variant analysis. The initial scan identified approximately 11,000 internet-exposed instances, with roughly 8,500 being on-premises deployments that remain vulnerable without immediate patching.

Historical Context

This vulnerability comes amid a history of critical flaws in BeyondTrust products. Previous versions have been targets of active exploitation campaigns, making immediate patching essential for operational security.

TL;DR

- CVE-2026-1731: Critical pre-auth RCE in BeyondTrust RS and PRA
- CVSS Score 9.9 (critical severity)
- Apply patches immediately or upgrade to patched versions
- ~11,000 internet-exposed instances identified; ~8,500 on-prem remain vulnerable
- Prioritize patching for self-hosted deployments without automatic updates

Source: The Hacker News