CVE-2026-1731: BeyondTrust Remote Code Execution Actively Exploited (CVSS 9.9)

BeyondTrust disclosed CVE-2026-1731 on February 12, 2026. CVSS score 9.9 (Critical). Allows unauthenticated remote code execution in Remote Support and Privileged Remote Access products.

Active exploitation confirmed by watchTowr within days of disclosure. CISA added to Known Exploited Vulnerabilities catalog.

What It Does

Unauthenticated attacker sends specially crafted requests to vulnerable BeyondTrust instances. Achieves remote code execution in the context of the site user without any credentials.

Successful exploitation allows:

• Arbitrary operating system command execution
• Unauthorized access to systems and data
• Data exfiltration from remote access sessions
• Service disruption
• Lateral movement to connected systems

Who's Affected

Organizations using BeyondTrust products for remote support and privileged access:

BeyondTrust Remote Support (RS): All versions before patched release

BeyondTrust Privileged Remote Access (PRA): All versions before patched release

If your IT team or MSP uses BeyondTrust for remote access, you're potentially vulnerable.

Active Exploitation Details

watchTowr observed exploitation in the wild starting overnight after disclosure:

1. Attackers probe for vulnerable instances
2. Send request to get_portal_info endpoint to extract x-ns-company value
3. Establish WebSocket channel using extracted data
4. Execute arbitrary commands via crafted requests

Attack requires no authentication. Automated scanning and exploitation tools likely already exist.

CISA KEV Addition

CISA added CVE-2026-1731 to Known Exploited Vulnerabilities catalog, indicating:

• Evidence of active exploitation
• Significant threat to federal networks
• High priority for immediate patching

Federal agencies have mandatory patch deadlines. Private sector should treat with same urgency.

Patch Now

Action required: Apply BeyondTrust security updates immediately.

Visit BeyondTrust Trust Center for specific patch versions:

• https://www.beyondtrust.com/trust-center/security-advisories/bt26-02

Check all internet-accessible BeyondTrust instances first. These are highest risk.

No workarounds exist. Update is mandatory.

Check for Compromise

If you delayed patching, assume potential compromise. Check logs for:

• Unusual get_portal_info requests
• Unexpected WebSocket connections
• Commands executed as site user
• Suspicious outbound connections from BeyondTrust servers
• New user accounts or privilege changes

BeyondTrust logs sensitive remote access sessions. Compromise could expose customer environments.

Why This Matters

BeyondTrust provides privileged remote access to critical systems. Compromise of these tools is catastrophic:

• Attackers inherit IT admin privileges
• Access to all systems BeyondTrust connects to
• Customer data and credentials at risk
• Supply chain attack vector for MSPs
• Difficult to detect (looks like legitimate admin activity)

Remote access and privilege management tools are top targets. They're keys to the kingdom.

Bottom Line

CVE-2026-1731 is critical unauthenticated RCE in BeyondTrust. Actively exploited since disclosure. CISA confirmed with KEV addition.

Patch immediately. Check all BeyondTrust instances, prioritizing internet-facing deployments.

Verify logs for compromise indicators. If found, treat as full breach and initiate incident response.

Priority: Critical. Action: Patch today.