CVE-2026-1731 is a critical remote code execution (RCE) vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access solutions. The flaw is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability allows unauthenticated attackers to execute operating system commands remotely, potentially leading to full system compromise. Given BeyondTrust’s widespread use across enterprise and government environments, this represents a high-impact risk to identity infrastructure and remote access gateways
Affected versions:
- BeyondTrust Remote Support 25.3.1 or earlier
- BeyondTrust Privileged Remote Access 24.3.4 or earlier
SaaS environments were patched automatically on February 2, 2026.
On-premises deployments require manual patching.
Technical Details
CVE-2026-1731 stems from an OS command injection weakness within the application.
Successful exploitation allows an attacker to:
- Execute arbitrary operating system commands
- Operate in the context of the site user
- Bypass authentication requirements
- Potentially achieve full system compromise
No authentication or user interaction is required.
This dramatically lowers the exploitation barrier and makes internet-exposed instances highly attractive targets.
Active Exploitation Confirmed
Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation and added the vulnerability to its KEV catalog.
Federal Civilian Executive Branch agencies were ordered to remediate by February 16, 2026, under:
Binding Operational Directive 22-01
When CISA enforces emergency patching with a 3-day window, it strongly indicates real-world exploitation activity.
Indicators of Potential Compromise
Organizations should look for:
- Suspicious child processes spawned by BeyondTrust services
- Unexpected OS-level command execution
- Web server anomalies or injection attempts
- New privileged accounts
- Unexpected outbound connections from the BeyondTrust host
- Changes to configuration or integration keys
Given unauthenticated RCE capability, exploitation may occur without visible authentication logs.
Immediate Mitigation Actions
Organizations should:
- Immediately identify all BeyondTrust Remote Support and Privileged Remote Access instances
- Patch to the latest vendor-supported version
- Review logs for command execution anomalies
- Restrict public exposure where possible
- Implement network segmentation for privileged access systems
For any needed support, please reach out to OP Innovate.
Stay Safe. Stay Secure
OP Innovate Research Team
