Key Findings

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability in BeyondTrust Remote Support (RS) and older Privileged Remote Access (PRA) products to its Known Exploited Vulnerabilities (KEV) catalog.

• The flaw, tracked as CVE-2026-1731, has a CVSS score of 9.9 and could allow an unauthenticated attacker to execute remote commands without logging in.

• BeyondTrust released security updates on February 6, 2026, to address the critical vulnerability.

• Around 11,000 BeyondTrust Remote Support instances are exposed online, with 8,500 on-prem systems that could remain vulnerable if not patched.

• Threat actors rapidly began exploiting the newly patched vulnerability after a proof-of-concept (PoC) exploit became public on February 10.

Background

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the BeyondTrust vulnerability, CVE-2026-1731, to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to address the flaw by February 16, 2026.

Vulnerability Details

• The vulnerability, CVE-2026-1731, is a critical pre-authentication remote code execution flaw in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) products.

• An unauthenticated remote attacker could exploit the flaw to send specially crafted requests and execute operating system commands, potentially leading to system compromise, data theft, and service disruption.

• BeyondTrust released security updates on February 6, 2026, to address the vulnerability.

Exposed Systems and Exploitation

• Hacktron researchers estimate that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments, with around 8,500 on-prem systems potentially remaining vulnerable if not patched.

• Large organizations, including those in healthcare, finance, government, and hospitality, primarily use the affected BeyondTrust deployments.

• After a PoC exploit was published on February 10, GreyNoise detected attack attempts within 24 hours, with a single IP responsible for the majority of reconnaissance activity.

• The threat actors mainly probe non-standard ports, suggesting they are aware that enterprises often move BeyondTrust services off port 443.

CISA Action and Recommendations

• CISA has ordered federal agencies to address the CVE-2026-1731 vulnerability by February 16, 2026, in accordance with Binding Operational Directive (BOD) 22-01.

• CISA also published an alert related to this flaw, titled "Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858".

• Experts recommend that private organizations review the KEV catalog and address the identified vulnerabilities in their infrastructure to protect against potential attacks.

Sources

• https://securityaffairs.com/187982/breaking-news/u-s-cisa-adds-a-flaw-in-beyondtrust-rs-and-pra-to-its-known-exploited-vulnerabilities-catalog.html

• https://www.linkedin.com/posts/dlross_us-cisa-adds-a-flaw-in-beyondtrust-rs-and-activity-7428603961173254144-3fQU

• https://x.com/securityaffairs/status/2022701301532930273