CVE-2026-1731 – BeyondTrust Remote Support and older Privileged... (How to Fix)

Q: What is the severity of CVE-2026-1731?

CVE-2026-1731 has a CVSS score of 9.8 (CRITICAL). BeyondTrust Remote Support and older Privileged Remote Access versions contain a critical pre-authentication remote code execution vulnerability. Unauthenticated attackers can execute operating system commands as the site user by sending specially crafted requests. This affects organizations using vulnerable versions of these remote access solutions.

📋 TL;DR

BeyondTrust Remote Support and older Privileged Remote Access versions contain a critical pre-authentication remote code execution vulnerability. Unauthenticated attackers can execute operating system commands as the site user by sending specially crafted requests. This affects organizations using vulnerable versions of these remote access solutions.

💻 Affected Systems

Products:

BeyondTrust Remote Support
BeyondTrust Privileged Remote Access

Versions: Remote Support: versions before 24.1.1; Privileged Remote Access: older versions (specific versions in vendor advisory)

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in pre-authentication components, making default configurations vulnerable.

📦 What is this software?

Privileged Remote Access by Beyondtrust

View all CVEs affecting Privileged Remote Access →

Remote Support by Beyondtrust

View all CVEs affecting Remote Support →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, steal credentials, pivot to internal networks, and deploy ransomware or other malware.

🟠

Likely Case

Initial foothold leading to privilege escalation, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact if network segmentation, strict access controls, and monitoring prevent lateral movement after initial compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Pre-authentication nature and command injection vulnerability make exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Remote Support 24.1.1 or later

Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02

Restart Required: Yes

Instructions:

1. Download patch from BeyondTrust support portal. 2. Backup configuration and data. 3. Apply patch following vendor instructions. 4. Restart services. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to BeyondTrust services to authorized IPs only

Web Application Firewall Rules

all

Implement WAF rules to block suspicious command injection patterns

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict monitoring and alerting for suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check BeyondTrust version in admin console or via system information

Check Version:

Check version in BeyondTrust admin interface under System Information

Verify Fix Applied:

Verify version is 24.1.1 or later in admin console

📡 Detection & Monitoring

Log Indicators:

Unusual pre-authentication requests
Command execution patterns in application logs
Failed authentication attempts followed by successful command execution

Network Indicators:

Unusual traffic to BeyondTrust web interfaces from unexpected sources
Command injection patterns in HTTP requests

SIEM Query:

source="beyondtrust" AND (http_method="POST" OR http_method="GET") AND (url_contains("/api/") OR url_contains("/auth/")) AND (message_contains("cmd") OR message_contains("exec") OR message_contains("system"))

📊 Metadata

CVE ID: CVE-2026-1731

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 61.38% exploit probability (98.3th percentile)

CISA KEV: Actively Exploited added Feb 13, 2026

Published: February 6, 2026

Last Updated: February 17, 2026

🔗 References

https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 Permissions Required
https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 Vendor Advisory
https://github.com/win3zz/CVE-2026-1731 Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731 US Government Resource
https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1731, you might also want to check these: