Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Remote Code Execution in BeyondTrust Remote Support and Privileged Remote Access, Patch Immediately!

Image
Decorative image
Veröffentlicht : 09/02/2026
  • Last update: 16/02/2026
  • Affected software:
    → BeyondTrust Remote Support <= 25.3.1
    → BeyondTrust Privileged Remote Access <= 24.3.4
  • Type: Remote Code Execution (RCE)
  • CVE/CVSS
    → CVE-2026-1731: CVSS 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L)

Sources

BeyondTrust - https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-1731

Risks

UPDATE 2026-02-16: Arctic Wolf has observed malicious activity in the wild linked to suspected exploitation of CVE-2026-1731 in self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments. Following the release of a proof-of-concept on GitHub, Greynoise reported a surge in internet-wide scanning for this vulnerability, suggesting that further exploitation is likely to follow.

BeyondTrust Remote Support (RS) is a software solution that allows IT support teams to access devices, servers, and other systems remotely. Privileged Remote Access (PRA) is a security solution that manages and monitors privileged access to critical infrastructure and systems. Both products provide access to various network parts, making it crucial to secure them effectively.

Successful exploitation of this vulnerability can lead to Remote Code Execution, causing a severe impact on the confidentiality, integrity, and availability of the affected system  

If the on-premises RS/PRA instances are not subscribed to receive automatic updates, an action is required to apply the appropriate patches to resolve the issue.

Description

CVE-2026-1731 is an unauthenticated remote code execution vulnerability. An unauthenticated attack can exploit this vulnerability by sending specially crafted requests and may be able to execute OS commands as the site user.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

The Hacker News - https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html
Arctic Wolf - https://arcticwolf.com/resources/blog/update-arctic-wolf-observes-threat-campaign-targeting-beyondtrust-remote-support-following-cve-2026-1731-poc-availability/
Greynoise - https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731