CISA Orders Feds Patch BeyondTrust RCE Flaw
3 min. read 
Published on
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog on February 13, 2026. Federal agencies must patch affected BeyondTrust systems by end of day February 16. The flaw allows unauthenticated remote code execution in Remote Support and Privileged Remote Access products.
BeyondTrust serves over 20,000 customers including 75% of Fortune 100 companies. The vulnerability affects Remote Support 25.3.1 and earlier, plus Privileged Remote Access 24.3.4 and earlier. Attackers exploit OS command injection without authentication or user interaction.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Hacktron researchers discovered the issue and disclosed it responsibly on January 31, 2026. They identified about 11,000 exposed Remote Support instances online, with 8,500 on-premises. BeyondTrust patched SaaS instances automatically on February 2.
Exploitation Status
WatchTowr’s Ryan Dewhurst reported active attacks on February 12. Unpatched devices should be treated as compromised. CISA issued Binding Operational Directive 22-01 mandating federal fixes within three days.
BeyondTrust warned exploitation leads to system compromise, data theft, and service disruption. The company released patches on February 6 via advisory BT26-02. On-premises users must update manually.
Reconnaissance scanning started within 24 hours of PoC publication on GitHub. GreyNoise detected probes targeting vulnerable instances globally. Attackers focus internet-facing deployments first.
Affected Versions and Patches
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| Remote Support (RS) | 25.3.1 and earlier | 25.3.2+ |
| Privileged Remote Access (PRA) | 24.3.4 and earlier | 24.3.5+rapid7​ |
CVSS v4 score rates at 9.9 critical. Attack vector requires network access only. No privileges needed for full site user compromise.
Federal Requirements
- FCEB agencies patch by February 16 close of business.
- Follow BOD 22-01 for cloud services.
- Discontinue unpatchable products immediately.
- Report compliance to CISA.
Historical Context
Chinese group Silk Typhoon exploited prior BeyondTrust zero-days in 2024. Attackers breached US Treasury using CVE-2024-12356 and CVE-2024-12686. They stole API keys and hit 17 SaaS instances including sanctions offices.
Treasury confirmed network breach via Remote Support platform. CFIUS foreign investment reviews also targeted. CISA issued emergency directives then too.
Technical Breakdown
- Flaw in request handling lacks input validation.
- Malicious WebSocket requests trigger command injection.
- Executes as site user context.
- Leads to unauthorized access and exfiltration.
Recommended Actions
- Inventory all BeyondTrust instances immediately.
- Apply patches to on-premises deployments.
- Assume exposure on internet-facing systems.
- Monitor logs for anomalous command execution.
- Segment remote access tools from critical networks.
BeyondTrust provides full advisory at BT26-02 Security Bulletin.horizon3
FAQ
Pre-auth RCE via OS command injection in BeyondTrust RS and PRA.
Federal Civilian Executive Branch agencies per BOD 22-01.
Yes, BeyondTrust auto-patched them February 2.
11,000 total, 8,500 on-premises per Hacktron.
Silk Typhoon hit US Treasury in 2024 via zero-days.
9.9 critical with no auth required.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages