CVE-2026-1731
CVE-2026-1731 is a critical-severity vulnerability in Beyondtrust Privileged Remote Access with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-02-13). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 9.9
- EPSS exploit prediction: 86% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-02-13)
- EU (EUVD) id: EUVD-2026-5559
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-02-13)
- Weakness: CWE-78
- Affected product: Beyondtrust Privileged Remote Access
- Published:
- Last modified:
Description
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
BeyondTrust CVE-2026-1731: Pre-Auth Remote Code Execution in Remote Support and PRA
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2026-1731 |
| CWE | CWE-78 (OS Command Injection) |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS v4 | 9.9 (CRITICAL) |
| EPSS | 0.86091 (99.7th percentile) |
| KEV | Yes (added 2026-02-13) |
| Published | 2026-02-06 |
| Last Modified | 2026-06-17 |
Summary
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Background
BeyondTrust Remote Support and Privileged Remote Access are enterprise remote access solutions used by IT support and privileged access management teams. The products enable secure remote support sessions and controlled access to sensitive systems. This vulnerability affects both product lines, making it particularly concerning for organizations relying on these tools for remote administration.
Root Cause
This vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The application fails to properly sanitize user-supplied input that is subsequently passed to an underlying operating system shell or command interpreter. In the context of this pre-authentication flaw, the attack surface is exposed to the network before any identity verification occurs, allowing arbitrary command injection by an unauthenticated remote attacker.
Impact
The CVSS v3.1 score of 9.8 (CRITICAL) and CVSS v4.0 score of 9.9 (CRITICAL) reflect the severity of this vulnerability:
- Attack Vector (AV): Network — exploitable remotely over the internet
- Attack Complexity (AC): Low — no special conditions or advanced techniques required
- Privileges Required (PR): None — pre-authentication
- User Interaction (UI): None — fully automated exploitation possible
- Scope (S): Unchanged — impact remains within the vulnerable component
- Confidentiality (C), Integrity (I), Availability (A): All HIGH — complete compromise of the affected system
The EPSS score of 0.86091 (99.7th percentile) indicates an extremely high probability of active exploitation in the wild. The vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog (added 2026-02-13) and has been observed in EU exploitation databases since the same date. It has also been associated with ransomware campaigns.
Exploitation Walkthrough
Defensive Analysis Only — No Exploit Code
⚠️ Ethics Caveat: This section describes the attack mechanics from a defender's perspective to aid detection and remediation. Actual exploitation of systems without authorization is illegal and unethical.
The vulnerability is triggered by sending specially crafted HTTP requests to the affected BeyondTrust endpoint. From a defensive standpoint, the attack pattern exhibits these characteristics:
- Pre-authentication targeting: Requests arrive at the application layer without valid session tokens or authentication headers.
- Command injection indicators: Unusual shell metacharacters, pipe sequences, or encoded payloads may appear in HTTP parameters or headers directed at the vulnerable endpoint.
- Context of execution: If successful, the operating system command runs under the privileges of the site user account running the BeyondTrust application.
Security teams should monitor for anomalous inbound requests to BeyondTrust Remote Support/PRA endpoints, especially those containing suspicious encoding patterns or unexpected command-like syntax.
Affected and Patched Versions
Specific affected version ranges and patched releases are not available in the disclosed data. Based on the vendor advisories:
- BeyondTrust Remote Support: Affected (all versions prior to the patch — consult vendor guidance)
- BeyondTrust Privileged Remote Access: Older versions affected (consult vendor guidance)
Action: Review BeyondTrust Security Advisory BT26-02 and BeyondTrust KB0023293 for definitive version information and patch availability.
Remediation
- Patch immediately: Apply the latest vendor-provided patches as directed by BeyondTrust. Given the CRITICAL severity and active exploitation, this should be treated as an emergency change.
- Restrict network access: Limit access to BeyondTrust Remote Support and PRA administrative interfaces to trusted IP ranges via firewall rules or VPN. Do not expose these interfaces directly to the internet unless absolutely necessary.
- Segmentation: Place BeyondTrust appliances in a segmented network zone with strict egress filtering to contain lateral movement if compromise occurs.
- Compensating controls: If patching is not immediately possible, consider disabling external-facing Remote Support instances or enforcing multi-factor authentication (MFA) at the network edge where supported (note: this does not mitigate the pre-auth nature of the flaw but raises the attack bar).
- Monitor for exploitation: Implement the detection rules outlined below.
Detection
- Network monitoring: Monitor for unusual HTTP request patterns to BeyondTrust endpoints, including requests with encoded shell metacharacters, abnormal parameter lengths, or unexpected request methods.
- Host-based detection: Review process execution logs on the BeyondTrust server for anomalous child processes spawned by the application service account (site user). Look for unexpected shell executions, script interpreters, or outbound network connections from the application context.
- Log correlation: Correlate BeyondTrust access logs with CISA KEV feeds and threat intelligence indicators for CVE-2026-1731.
- Endpoint Detection and Response (EDR): Deploy behavioral detection rules to flag OS command execution from the BeyondTrust application context, especially when the parent process is the web application worker.
Assessment
With an EPSS score of 0.86091 and placement in the 99.7th percentile, this vulnerability is among the most likely to be actively exploited. The KEV entry and EU exploitation data confirm that threat actors are weaponizing this flaw in the wild, and ransomware operators have been observed leveraging it.
Key lessons:
- Pre-authentication RCE in remote access tools is a maximum-severity scenario: Remote access and privileged session management tools are high-value targets. A single pre-auth RCE can bypass all identity and access controls, granting immediate system compromise.
- EPSS and KEV alignment accelerates prioritization: When EPSS, KEV, and ransomware tags converge, emergency patching is the only defensible posture. Security teams should pre-configure SLA exceptions for vulnerabilities meeting all three criteria.
References
- https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- https://github.com/win3zz/CVE-2026-1731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
Frequently asked questions
- What is CVE-2026-1731?
- BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
- How severe is CVE-2026-1731?
- CVE-2026-1731 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-1731 being actively exploited?
- Yes. CVE-2026-1731 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-02-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-1731?
- CVE-2026-1731 primarily affects Beyondtrust Privileged Remote Access. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-1731?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-1731 have an EU (EUVD) identifier?
- Yes. CVE-2026-1731 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-5559. It is also flagged as exploited in the EUVD (since 2026-02-13).
- When was CVE-2026-1731 published?
- CVE-2026-1731 was published on 2026-02-06 and last updated on 2026-06-17.
References
- https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- https://github.com/win3zz/CVE-2026-1731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
Affected products (2)
- cpe:2.3:a:beyondtrust:privileged_remote_access:*:*:*:*:*:*:*:*
- cpe:2.3:a:beyondtrust:remote_support:*:*:*:*:*:*:*:*
More vulnerabilities in Beyondtrust Privileged Remote Access
- CVE-2026-40141 — Critical (CVSS 9.9): A high-severity vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote…
- CVE-2026-40139 — Critical (CVSS 9.8): A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote…
- CVE-2025-5309 — Critical (CVSS 9.8): The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template…
- CVE-2024-12356 — Critical (CVSS 9.8): A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which…
- CVE-2023-4310 — Critical (CVSS 9.8): BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 23.2.1 and 23.2.2 contain a command…
- CVE-2026-40138 — High (CVSS 8.1): A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and…
All CVEs affecting Beyondtrust Privileged Remote Access →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…