Critical Remote Code Execution in BeyondTrust Remote Support & Privileged Remote Access — BT26-02 and Active Exploitation

CyberDefender 7 mins0

BeyondTrust published a security advisory, BT26-02, alerting customers to a critical remote code execution (RCE) flaw affecting its widely deployed remote access products. Tracked as CVE-2026-1731, the vulnerability carries a CVSS v4 severity score of 9.9, placing it firmly in the critical risk category for enterprise environments.

What the Vulnerability Is

CVE-2026-1731 is a pre-authentication OS command injection bug in BeyondTrust Remote Support (RS) and certain legacy versions of Privileged Remote Access (PRA). An unauthenticated attacker can trigger this flaw by sending a specially crafted client request to a vulnerable instance. If successfully exploited, the attacker can run arbitrary operating system–level commands in the context of the site user — without needing valid credentials or any user interaction.

At a code-level this stems from insufficient input validation in the affected endpoint, allowing malicious parameters to be passed directly to underlying shell interpreters. This effectively gives remote adversaries a foothold on systems exposed to the internet.

Products and Versions Affected

The advisory identified the following impact surface:

  • Remote Support (RS) — Versions up to 25.3.1
  • Privileged Remote Access (PRA) — Versions up to 24.3.4

These products are used by IT teams to diagnose and remediate issues remotely, and are often placed in demilitarized zones (DMZs) or on perimeter networks, increasing exposure risk.

Official Response and Patching (BT26-02)

BeyondTrust released fixes for both products as part of advisory BT26-02:

  • Remote Support: Patch available in 25.3.2 and later
  • Privileged Remote Access: Fixed in 25.1.1 and later

For SaaS/cloud customers, the vendor rolled out automatic patches on February 2, 2026, meaning hosted instances are generally protected without further action. Self-hosted on-premises deployments, however, must apply patches manually or upgrade to the fixed versions.

Importantly:

  • Instances older than RS 21.3 or PRA 22.1 first require an upgrade path before the patch can be applied.
  • Organizations without automatic updates are considered at elevated risk until they confirm patch status.

Real-World Exploitation: From PoC to Attacks

While early reporting around the advisory suggested no active exploitation at publication time, subsequent developments show the threat evolving quickly:

  • A proof-of-concept (PoC) exploit for CVE-2026-1731 was published on GitHub shortly after the advisory.
  • Threat intelligence feeds and global sensors have observed active exploitation of the vulnerability in the wild. Attackers are abusing the /get_portal_info endpoint to extract an internal identifier (X-Ns-Company), then establishing WebSocket channels to execute arbitrary commands.
  • Analysts at watchTowr reported that if systems are unpatched, they should be assumed compromised due to observed exploitation waves.

This shift from theoretical risk to confirmed exploitation underscores how critical vulnerabilities can transition rapidly into real attacks once technical details or PoCs become publicly available.

Technical & Operational Impact

Why This Matters

  1. Unauthenticated Access: The flaw does not require valid credentials, making it trivially exploitable against internet-facing appliances.
  2. Privilege Context: Commands execute in the context of the site user, which often has elevated access within remote support infrastructure.
  3. Perimeter Exposure: Remote Support and PRA systems are frequently positioned at the network edge to facilitate support sessions, increasing their attack surface.
  4. Historical Targeting: BeyondTrust platforms have been targeted previously in supply-chain and zero-day incidents, including exploited vulnerabilities leading to lateral breaches in sensitive enterprise environments.

Successful exploitation can lead to full system compromise, data exfiltration, unauthorized access to internal assets, and service disruption.

Mitigation and Defensive Measures

Beyond immediate patching, security teams should consider:

  • Network Layer Protections: Restrict external access to support portals using firewalls, VPNs, or access control lists.
  • Monitoring & Detection: Deploy IDS/IPS rules to catch malformed client requests targeting known vulnerable endpoints.
  • Segment Remote Access Resources: Isolate RS/PRA systems from core infrastructure to limit potential lateral movement.
  • Asset Inventory: Audit internet-exposed assets using tools like Shodan or internal scanners to detect legacy deployments.

Conclusion

CVE-2026-1731 represents a stark reminder of the threat posed by remote access vulnerabilities in enterprise IT tooling. With a near-maximum severity score and clear evidence of exploitation in the wild, it ranks among the most critical bugs impacting remote support ecosystems this year. Administrators running affected BeyondTrust products must prioritize patching and hardening activities to mitigate the risk of compromise.

CyberDefender