CVE-2026-1731
BeyondTrust Privileged Remote Access and Remote Support | Pre-Auth Remote Code Execution
CVE-2026-1731 is a critical command injection vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). The vulnerability allows unauthenticated remote code execution through specially crafted requests. It carries a CVSS v4 score of 9.9.
Because exploitation requires no authentication and no user interaction, exposed instances are at significant risk. Successful exploitation allows an attacker to execute operating system commands in the context of the site user, potentially leading to full system compromise, data exfiltration, and service disruption.
BeyondTrust reported no evidence of active exploitation at the time of disclosure. However, the technical characteristics make this vulnerability highly attractive to attackers.
Stop Guessing, Start Proving
Technical Details
The vulnerability stems from improper input validation in request handling within BeyondTrust PRA and Remote Support. Specially crafted requests can trigger OS command injection, resulting in remote code execution.
Public technical reporting indicates exploitation can occur via malicious WebSocket requests. However, vendor advisory language broadly describes exploitation through specially crafted client requests.
Attack characteristics:
- Attack vector: Network
- Authentication required: None
- User interaction: None
- Impact: Remote code execution as the site user
- CVSS v4 score: 9.9
An unauthenticated attacker can remotely trigger command execution, making internet-facing or externally accessible deployments particularly exposed.
NodeZero® Offensive Security Platform — Rapid Response
To safely verify if CVE-2026-1731 affects BeyondTrust instances, Horizon3.ai customers can take advantage of the newly released Rapid Response test to confirm exploitability and remediation after patching.
- Run the Rapid Response test — Launch the BeyondTrust PRA and Remote Support CVE-2026-1731 Rapid Response test from the customer portal to assess both internet-facing and internal instances for exploitable command injection exposure.
- Patch immediately — BeyondTrust applied patches to all Remote Support SaaS and Privileged Remote Access SaaS cloud customers as of February 2, 2026. Self-hosted customers should upgrade to a fixed version or apply the appropriate vendor patch.
- Re-run the Rapid Response test — Validate that the vulnerability is no longer exploitable and confirm remediation has effectively removed risk.
Rapid Response helps organizations focus on vulnerabilities attackers are most likely to exploit, allowing security teams to act quickly where exposure is real and validated.
Indicators of Compromise
At the time of disclosure, no specific public indicators of compromise were released. Organizations should monitor for:
- Suspicious or malformed requests targeting BeyondTrust services
- Unexpected command execution activity associated with the BeyondTrust site user
- Anomalous process creation or outbound connections from BeyondTrust hosts
Review system and application logs for unusual request patterns and unexpected command execution behavior.
Affected Versions
- Remote Support: 25.3.1 and prior
- Privileged Remote Access: 24.3.4 and prior
Fixed Versions / Mitigation
- Remote Support SaaS and Privileged Remote Access SaaS cloud customers were patched as of February 2, 2026.
- Self-hosted customers should apply:
- Remote Support: Patch BT26-02-RS (v21.3 through 25.3.1)
- Privileged Remote Access: Patch BT26-02-PRA (v22.1 through 24.x)
- All PRA versions 25.1 and greater do not require patching for this vulnerability.
References
