BeyondTrust CVE-2026-1731: Pre-Auth RCE Exploited Within 24 Hours of PoC Release

Overview

BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products have a critical pre-authentication remote code execution vulnerability, CVE-2026-1731, that is now being actively exploited in the wild. Rated CVSS 9.9, the flaw allows unauthenticated attackers to execute arbitrary operating system commands by sending specially crafted requests. Exploitation began within 24 hours of a proof-of-concept appearing on GitHub, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.

Technical Details

The Vulnerability

CVE-2026-1731 affects BeyondTrust Remote Support versions 25.3.1 and earlier, along with Privileged Remote Access versions 24.3.4 and earlier. An unauthenticated, remote attacker can execute operating system commands in the context of the site user by sending specially crafted client requests. No authentication and no user interaction are required. BeyondTrust’s own advisory puts it plainly: successful exploitation “may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

Security researchers at Hacktron AI discovered the flaw using AI-enabled variant analysis and responsibly disclosed it to BeyondTrust on January 31. Hacktron identified approximately 11,000 BeyondTrust Remote Support instances exposed to the internet, with roughly 8,500 of those being on-premises deployments that remain vulnerable until manually patched.

BeyondTrust released security advisory BT26-02 on February 6, 2026. The company had already auto-patched all SaaS instances on February 2, but self-hosted customers must apply the update themselves. Remote Support is fixed in version 25.3.2 and later. Privileged Remote Access is fixed in version 25.1.1 and later.

From PoC to Exploitation in Under 24 Hours

The vulnerability went from theoretical to actively exploited at alarming speed. Shortly after a proof-of-concept exploit was published on GitHub targeting the /get_portal_info endpoint, attackers moved in.

Ryan Dewhurst, head of threat intelligence at watchTowr, confirmed seeing the first in-the-wild exploitation across their global sensor network. “Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors,” Dewhurst reported. “Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.”

The observed attack technique is straightforward: attackers hit exposed BeyondTrust portals to call get_portal_info and extract the X-Ns-Company identifier value. They then use that value to establish a WebSocket channel to the targeted device, giving them the ability to execute commands on vulnerable systems.

That 24-hour turnaround from public PoC to active exploitation underscores a pattern that keeps accelerating. Once a working exploit hits GitHub, defenders are effectively racing against the clock.

A Familiar Target

BeyondTrust is no stranger to targeted exploitation by sophisticated adversaries. The company provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100. That enormous footprint has drawn attention from state-sponsored groups before.

The Chinese hacking group Silk Typhoon weaponized previous BeyondTrust zero-day flaws (CVE-2024-12356 and CVE-2024-12686) to breach the U.S. Treasury Department and access sensitive data related to sanctions. That incident triggered emergency directives from CISA. Rapid7 later revealed that exploitation of CVE-2024-12356 actually required chaining it with a then-unknown SQL injection vulnerability in an underlying PostgreSQL tool (CVE-2025-1094).

Given that track record, a CVSS 9.9 pre-auth RCE with thousands of exposed on-premises instances is exactly the kind of target that advanced adversaries will prioritize.

Timeline

• January 31: Hacktron AI discovers CVE-2026-1731 and discloses to BeyondTrust
• February 2: BeyondTrust auto-patches all Remote Support and PRA SaaS instances
• February 6: BeyondTrust publishes security advisory BT26-02
• February 9: Rapid7 publishes technical analysis and releases InsightVM/Nexpose detection checks
• ~February 11: Proof-of-concept exploit published on GitHub
• ~February 12: watchTowr observes first in-the-wild exploitation across global sensors
• February 13: CISA adds CVE-2026-1731 to Known Exploited Vulnerabilities catalog

Impact

The consequences of this vulnerability are severe for any organization running self-hosted BeyondTrust appliances. BeyondTrust Remote Support and Privileged Remote Access are tools designed to give administrators, help desk staff, and managed service providers remote control over endpoints and privileged sessions. Compromising these systems gives an attacker a ready-made pivot point into the environments those tools manage.

Think about the access model for a moment. BeyondTrust PRA is specifically built to broker privileged access sessions. An attacker who gains code execution on a PRA appliance is sitting on top of the keys to every privileged connection that passes through it. The potential for credential theft, session hijacking, and lateral movement into high-value targets is substantial.

The speed of exploitation also raises the question of how many organizations were exposed during the gap between the PoC release and their patch cycle. watchTowr’s guidance was blunt: if your devices are not patched, assume they are compromised.

For organizations that have not yet patched, the question is no longer “should we update?” but rather “have we already been breached?”

Recommended Actions

1. Patch immediately. Self-hosted BeyondTrust Remote Support deployments should upgrade to version 25.3.2 or later. Privileged Remote Access deployments should upgrade to version 25.1.1 or later. Verify patching against BeyondTrust’s advisory BT26-02.

2. Assume compromise if unpatched. If your on-premises BeyondTrust appliances were internet-facing and not patched before the PoC was published, treat them as potentially compromised. Initiate forensic investigation and check for indicators of unauthorized access.

3. Restrict internet exposure. BeyondTrust appliances should not be broadly exposed to the public internet. Place them behind VPN or zero-trust access controls where possible, and limit access to administrative interfaces to known management IP ranges.

4. Rotate credentials. Any credentials, session tokens, or API keys managed by or passing through the affected BeyondTrust appliances should be rotated as a precaution, particularly for organizations that delayed patching.

5. Monitor for post-exploitation activity. Watch for anomalous WebSocket connections to BeyondTrust portals, unexpected command execution from the BeyondTrust site user context, and any calls to the /get_portal_info endpoint from unrecognized IP addresses.

6. Review your BeyondTrust deployment architecture. This is the second major exploitation campaign against BeyondTrust products in roughly 14 months, following the Silk Typhoon / U.S. Treasury incident. If your organization relies heavily on BeyondTrust for privileged access management, evaluate whether your deployment architecture limits blast radius in the event of appliance compromise.

How Codex Can Help

If you need assistance responding to CVE-2026-1731 or evaluating your exposure, reach out. We can help with:

• Compromise assessment to determine whether unpatched BeyondTrust appliances in your environment have been exploited, including forensic analysis of WebSocket and session activity
• Vulnerability prioritization and patch management to ensure critical fixes like this one reach your self-hosted appliances before exploit code goes public
• Security architecture review of your privileged access management infrastructure to reduce exposure to similar appliance-level vulnerabilities
• Incident response if you have evidence of unauthorized access through BeyondTrust Remote Support or PRA

We are ready to assist on short notice when critical vulnerabilities demand fast action.