CVE-2026-1731: Critical BeyondTrust RS/PRA Flaw Allows Unauthenticated Remote Attackers to Take Full System Control

Aegiron 9 mins0

CVE-2026-1731 – BeyondTrust Remote Support (RS) / Privileged Remote Access (PRA)

CVE ID: CVE-2026-1731
Vendor: BeyondTrust
Affected Products:

  • BeyondTrust Remote Support (RS)
  • BeyondTrust Privileged Remote Access (PRA – specific legacy versions)

Severity and Risk Rating

CVSS Score: 9.9 (Critical)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Complete compromise of the underlying system

This vulnerability is classified as critical due to the fact that it can be exploited remotely, without authentication, and results in full command execution on the target system.

Vulnerability Type

Pre-Authentication Remote Code Execution (RCE)
Root Cause: Improper input validation leading to OS command injection (CWE-78)

Affected Versions

The vulnerability affects unpatched and unsupported versions of the following:

  • BeyondTrust Remote Support (RS): Versions 25.3.1 and earlier
  • BeyondTrust Privileged Remote Access (PRA): Versions 24.3.4 and earlier

Cloud-hosted (SaaS) instances have already been remediated by the vendor. Self-hosted and on-premise deployments remain vulnerable until patched or upgraded.

Description

A flaw was identified in how BeyondTrust RS and PRA components process specific client-supplied input prior to authentication. Due to insufficient sanitization and improper handling of special characters, attacker-controlled data may be passed directly to underlying operating system command execution functions.

Because the vulnerable functionality is exposed before authentication checks are enforced, an unauthenticated attacker can trigger command execution remotely by sending specially crafted requests to the affected service endpoints.

When successfully exploited, arbitrary commands are executed in the security context of the BeyondTrust site or service account. This allows full control of the host system, including installation of malware, data exfiltration, credential harvesting, and lateral movement within the environment.

Attack Vector and Exploitation Flow

The following exploitation path has been observed and assessed during analysis:

  1. The affected RS or PRA service is exposed to the network (often internet-facing).
  2. A crafted request is sent to a vulnerable pre-authentication endpoint.
  3. Malicious input is embedded within request parameters that are later processed by system-level utilities.
  4. The input is executed as an operating system command without proper validation.
  5. Post-exploitation activities such as payload deployment, persistence creation, or network reconnaissance are performed.

No valid credentials are required at any stage of this process.

Exploitation Status / Proof of Concept

  • Public exploit code: Not broadly published at the time of analysis.
  • Proof-of-concept: Limited private and research-grade demonstrations have been reported within security communities for educational and validation purposes.
  • Weaponization risk: High. Given the simplicity of exploitation and the critical nature of the flaw, rapid weaponization is expected once exploit techniques become widely known.

Any unpatched internet-accessible instance should be considered at high risk.

MITRE ATT&CK Mapping

  • Initial Access: T1190 – Exploit Public-Facing Application
  • Execution: T1059 – Command and Scripting Interpreter
  • Persistence: T1547 – Boot or Logon Autostart Execution (post-exploitation dependent)
  • Privilege Escalation: T1068 – Exploitation for Privilege Escalation
  • Lateral Movement: T1021 – Remote Services
  • Impact: T1486 – Data Encrypted for Impact / T1041 – Exfiltration Over C2 Channel

Indicators of Compromise (IoCs)

The following indicators may suggest attempted or successful exploitation:

  • Unexpected child processes spawned by the BeyondTrust service
  • Execution of shell interpreters (e.g., cmd, powershell, sh, bash) by RS/PRA processes
  • Creation of new executable files or scripts within application or temporary directories
  • Outbound network connections initiated by the BeyondTrust service to unknown IP addresses
  • Repeated malformed or unusually long HTTP requests targeting RS/PRA endpoints

Detection and Monitoring

Recommended Log Sources

  • Web server / application access logs
  • BeyondTrust RS/PRA application logs
  • Endpoint Detection and Response (EDR) telemetry
  • Operating system process creation logs
  • Network firewall, proxy, and IDS/IPS logs

Detection Queries

Splunk – Suspicious Command Execution

index=endpoint_logs
(parent_process="*BeyondTrust*" OR parent_process="*bomgar*")
(process_name IN ("cmd.exe","powershell.exe","sh","bash"))
| stats count by host, user, process_name, command_line

Splunk – Abnormal HTTP Requests

index=web_logs
uri_length > 1000 OR uri="*%3B*" OR uri="*%7C*" OR uri="*`*"
| stats count by src_ip, uri

Microsoft Defender / Sentinel – Process Anomaly

DeviceProcessEvents
| where InitiatingProcessFileName contains "BeyondTrust"
| where FileName in ("cmd.exe","powershell.exe","bash","sh")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine

Microsoft Sentinel – Web Exploitation Patterns

AzureDiagnostics
| where requestUri_s contains "%3B" or requestUri_s contains "%7C" or requestUri_s contains "`"
| summarize count() by clientIP_s, requestUri_s

Impact Assessment

Successful exploitation may result in:

  • Full administrative control of the affected host
  • Compromise of privileged credentials managed by the platform
  • Unauthorized remote access to internal systems
  • Data theft, ransomware deployment, or service disruption
  • Loss of trust and regulatory exposure

Remediation and Mitigation

Mandatory Action

All affected systems must be patched or upgraded immediately.

Official BeyondTrust Patch and Upgrade Advisory:
https://www.beyondtrust.com/trust-center/security-advisories/bt26-02

Additional Hardening Measures

  • Restrict RS/PRA access to trusted IP ranges or VPNs only
  • Remove direct internet exposure where possible
  • Enable enhanced logging and retain logs for extended periods
  • Monitor for abnormal child process creation and outbound traffic
  • Rotate credentials and secrets if compromise is suspected

Final Takeaway

CVE-2026-1731 represents a high-impact, low-complexity vulnerability that directly exposes BeyondTrust RS and PRA systems to full remote takeover. Due to the pre-authentication nature of the flaw and the level of access gained upon exploitation, this vulnerability should be treated as an emergency for any organization operating affected versions.

Immediate patching, exposure reduction, and active threat monitoring are strongly advised to reduce the risk of compromise.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.