BeyondTrust RCE (CVE-2026-1731) is being probed and attacked in the wild
4 min. read 
Published on
A critical unauthenticated remote code execution flaw in BeyondTrust Remote Support and some Privileged Remote Access releases is being actively probed and exploited by attackers. If you run self-hosted instances that are not patched, assume they may be targeted and act now to update or isolate them.
The quick facts
- Vulnerability: CVE-2026-1731, pre-auth remote code execution.
- Severity: CVSS 9.9, near maximum.
- Products affected: BeyondTrust Remote Support (RS) ≤ 25.3.1 and Privileged Remote Access (PRA) ≤ 24.3.4.
- Patch / SaaS: BeyondTrust has applied the fix to cloud/SaaS instances and published advisories and patches for self-hosted customers. If you are cloud-hosted, updates should already be applied.
Evidence of active exploitation
Researchers and monitoring services reported in-the-wild activity within hours of proof-of-concept material and advisories becoming public. The headline signals:
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
- watchTowr’s threat sensors detected the first exploitation attempts and described a pattern where attackers call
get_portal_infoto capture anx-ns-companyvalue and then open a WebSocket channel. watchTowr. - GreyNoise observed reconnaissance and early exploitation scanning, and found that a single IP accounted for 86% of reconnaissance sessions targeting this CVE so far. GreyNoise.
- Multiple security vendors and news outlets reported rapid weaponization and active exploitation attempts.
Because the flaw allows unauthenticated command execution, even successful reconnaissance can quickly lead to full compromise if an exploit is delivered.
What BeyondTrust says
BeyondTrust’s advisory notes that the patch has been applied to all Remote Support SaaS and Privileged Remote Access SaaS customers as of Feb 2, 2026. Self-hosted customers should apply the published patches or upgrade to fixed versions.
Recommended immediate actions from the vendor include applying vendor patches, isolating exposed instances, and following incident response guidance if suspicious activity is found.
Who is scanning and how fast
GreyNoise data shows a dominant scanner/IP doing most of the early checks. That IP is tied to a commercial VPN provider and has been active as a broad scanner since 2023. The same infrastructure has been used to scan for a wide range of other high-value flaws. This pattern suggests fast automated tooling rather than a single bespoke attacker.
Security teams should assume large-scale automated discovery and treat any internet-facing BeyondTrust instance as high-risk until patched.
Vulnerability breakdown
| Item | Detail |
|---|---|
| CVE | CVE-2026-1731. |
| Impact | Unauthenticated RCE remote OS command execution in context of site user. |
| Affected versions | RS ≤ 25.3.1; PRA ≤ 24.3.4 (self-hosted older releases). SaaS patched Feb 2, 2026. |
| Exploitation observed | Reconnaissance and exploitation attempts reported within hours; heavy scanning by a dominant IP. |
| Mitigation | Apply vendor patches, isolate internet-facing instances, review logs for get_portal_info and WebSocket creation. |
Immediate action checklist
Post-incident: if you detect exploitation, follow incident-response playbooks: isolate hosts, preserve evidence, rotate credentials, and engage IR/forensics.
If you run BeyondTrust SaaS/Cloud: confirm with your provider that patches were applied; verify no suspicious logs exist.
If you run self-hosted RS/PRA: apply the vendor patch or upgrade to the fixed versions immediately. If you cannot patch immediately, block public access to the service until patched.
Hunt for indicators: search logs for get_portal_info calls, unexpected WebSocket sessions, rapid POSTs to portal endpoints, and unusual processes spawned by the web service.
Network containment: block or rate-limit suspicious scan IPs, but assume attackers will use diverse infrastructure and VPNs.
What federal and national agencies are doing
The U.S. Cybersecurity and Infrastructure Security Agency added multiple actively exploited flaws to its Known Exploited Vulnerabilities catalog this week. CISA’s KEV actions aim to accelerate patching across the federal civilian estate and the broader community. Organizations should consult the KEV list and prioritize fixes accordingly.
Why this one is especially dangerous
- Pre-auth RCE gives attackers immediate runway on internet-facing instances.
- Fast weaponization means the window between disclosure and exploit is very small. Reports show exploitation attempts within 24 hours of PoC material surfacing.
- Automated scanning concentrates reconnaissance and helps attackers find vulnerable hosts quickly.
Treat any exposed BeyondTrust instance as high priority for remediation.
FAQ
A: BeyondTrust says SaaS cloud instances had the patch applied on Feb 2, 2026. Confirm with your provider.
A: Self-hosted Remote Support versions up to 25.3.1 and Privileged Remote Access up to 24.3.4 require patching or upgrade. See BeyondTrust advisories for precise builds.
A: Look for get_portal_info endpoints, unexpected x-ns-company values, new WebSocket channels, suspicious POST payloads, and any process creation from the web service context.
A: CISA recently added several actively exploited CVEs to KEV and sets remediation expectations for federal agencies. Check CISA’s KEV catalog for current deadlines and guidance.
A: Data shows rapid automated scanning and reconnaissance. A single IP dominated 86% of early scans, but attackers will pivot quickly. Assume broad scanning and possible exploitation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages