What happened
Threat actors began actively scanning and attempting to exploit a critical vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, tracked as CVE-2026-1731, within 24 hours of a publicly released proof-of-concept (PoC) exploit. The flaw allows unauthenticated remote code execution via specially crafted requests and has drawn significant reconnaissance activity from known malicious scanning infrastructure.
Who is affected
Organizations using BeyondTrust Remote Support (versions 25.3.1 and earlier) and Privileged Remote Access (versions 24.3.4 and earlier), with an estimated ~11,000 internet-exposed instances, are potentially exposed if they have not applied the vendor’s patches released early in February 2026.
Why CISOs should care
Remote support and privileged access solutions like those from BeyondTrust sit at the heart of enterprise operations and identity management. A critical remote code execution flaw that can be weaponized rapidly after a PoC release compresses defenders’ patching window and increases the risk of unauthorized access, data theft, service disruption, and broader operational compromise.Â
3 practical actions
- Verify and apply patches: Ensure all BeyondTrust RS and PRA instances are updated to the latest patched versions; prioritize self-hosted environments that may not auto-update.Â
- Audit internet-exposed services: Identify and mitigate exposure of remote access tools to the public internet; use network controls and segmentation to limit direct exposure.Â
- Monitor threat activity: Increase detection and logging around BeyondTrust products for unusual commands or lateral movement attempts, leveraging threat intelligence sources to correlate activity.