BeyondTrust has released urgent security updates to fix a critical pre-authentication remote code execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. If exploited, the flaw could allow attackers to execute system-level commands without authentication, putting thousands of organizations at serious risk.
The company disclosed the issue in a security advisory published on February 6, 2026, warning customers to apply patches immediately to prevent potential cyberattacks.
According to BeyondTrust, the flaw exists due to an operating system command injection vulnerability that can be triggered by sending specially crafted requests to vulnerable systems.
“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability,” the company stated.
This means an attacker does not need valid login credentials to exploit the issue. A successful attack could allow a remote, unauthenticated threat actor to run operating system commands in the context of the site user, effectively taking control of the system.
The vulnerability has been assigned the identifier CVE-2026-1731 and carries a CVSS score of 9.9 out of 10, placing it in the critical severity category.
If exploited, CVE-2026-1731 could lead to:
Unauthorized system access
Data theft and exfiltration
Installation of malware or backdoors
Service outages and operational disruption
Lateral movement across enterprise networks
Because BeyondTrust products are often used to manage privileged access, a compromise could give attackers high-level control over sensitive IT environments.
BeyondTrust confirmed that the following versions are vulnerable:
Affected Products
Remote Support versions 25.3.1 and earlier
Privileged Remote Access versions 24.3.4 and earlier
Organizations running these versions are strongly advised to take immediate action.
BeyondTrust has released patches to address the issue in newer versions:
Patched Versions
Remote Support: Patch BT26-02-RS, version 25.3.2 and later
Privileged Remote Access: Patch BT26-02-PRA, version 25.1.1 and later
Customers using these updated versions are protected against the vulnerability.
BeyondTrust emphasized that self-hosted deployments may not receive the fix automatically unless automatic updates are enabled.
Self-hosted customers should:
Manually apply the latest patch if automatic updates are disabled
Upgrade to supported versions if running older software
Customers using:
Remote Support versions older than 21.3, or
Privileged Remote Access versions older than 22.1
must first upgrade to a newer release before applying the patch.
“Self-hosted customers of PRA may also upgrade to 25.1.1 or a newer version to remediate this vulnerability,” BeyondTrust noted.
The vulnerability was discovered by Harsh Jaiswal, security researcher and co-founder of Hacktron AI, using an AI-enabled variant analysis technique. According to Jaiswal, the issue was identified on January 31, 2026.
His research revealed that approximately 11,000 BeyondTrust instances were exposed to the internet at the time of discovery.
More concerning, around 8,500 of these deployments were on-premises, meaning they remain vulnerable unless patches are manually applied.
To reduce the risk of active exploitation, detailed technical information about the vulnerability has been intentionally withheld, giving organizations time to update their systems.
This is not the first time BeyondTrust products have been targeted by attackers. In the past, vulnerabilities in Privileged Remote Access and Remote Support have been actively exploited in real-world attacks.
Given this history, security experts warn that threat actors are likely to quickly weaponize CVE-2026-1731, especially due to its high severity and pre-authentication nature.
Security teams and administrators should take the following steps immediately:
Identify affected BeyondTrust installations
Apply the latest security patches without delay
Upgrade unsupported versions to supported releases
Restrict external access to management interfaces where possible
Monitor logs for unusual activity or signs of compromise
Review privileged access policies to limit exposure
The discovery of CVE-2026-1731 highlights once again how critical it is to keep privileged access management (PAM) tools fully updated. Because these tools sit at the core of enterprise security, any unpatched flaw can have devastating consequences.
With thousands of exposed instances and a near-maximum CVSS score, organizations using BeyondTrust Remote Support or Privileged Remote Access should treat this update as high priority.
Interesting Article : NGINX Servers Targeted in Widespread Web Traffic Redirection Attacks