Full Report
A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access appliances is now being exploited in attacks after a PoC was published online. [...]
Analysis Summary
# Vulnerability: Pre-Authentication Remote Code Execution in BeyondTrust Appliances
## CVE Details
- **CVE ID**: CVE-2026-1731
- **CVSS Score**: 9.9 (Critical)
- **CWE**: Not explicitly listed (Technical description suggests Command Injection or Improper Input Validation)
## Affected Systems
- **Products**:
- BeyondTrust Remote Support (RS)
- BeyondTrust Privileged Remote Access (PRA)
- **Versions**:
- Remote Support: versions 25.3.1 and earlier
- Privileged Remote Access: versions 24.3.4 and earlier
- **Configurations**: On-premises deployments are at the highest risk. SaaS instances have been automatically updated by the vendor.
## Vulnerability Description
The flaw is a pre-authentication remote code execution (RCE) vulnerability that is triggered by sending specially crafted client requests to the appliance. Specifically, the vulnerability resides in the way the appliance handles requests to the `/get_portal_info` endpoint. By exploiting this, an unauthenticated attacker can execute operating system commands in the context of the site user.
## Exploitation
- **Status**: Exploited in the wild; PoC available (GitHub)
- **Complexity**: Low
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: High (Potential for data exfiltration and unauthorized access)
- **Integrity**: High (OS command execution; system compromise)
- **Availability**: High (Service disruption)
## Remediation
### Patches
BeyondTrust has released updates to address this vulnerability. Organizations using on-premises instances must manually upgrade to:
- **Remote Support**: Version 25.3.2 or later
- **Privileged Remote Access**: Version 24.3.5 or later
*(Note: SaaS instances were patched automatically by the vendor on February 2, 2026.)*
### Workarounds
No specific configuration workarounds were provided in the article; immediate patching is the primary recommendation. If patching cannot be performed immediately, restricting network access to the management portals is a standard security best practice.
## Detection
- **Indicators of Compromise**:
- Unusual requests targeting the `/get_portal_info` endpoint.
- Abnormally high traffic or unauthorized WebSocket connections following a request to the portal info endpoint.
- Evidence of attackers extracting the `X-Ns-Company` header value.
- **Detection methods and tools**:
- Review web server/appliance logs for exploitation attempts on `/get_portal_info`.
- Monitor for unauthorized OS command execution or suspicious lateral movement from the appliance.
## References
- BeyondTrust Advisory: hxxp[://]www[.]beyondtrust[.]com/trust-center/security-advisories/bt26-02
- Hacktron Disclosure: hxxps[://]www[.]hacktron[.]ai/blog/cve-2026-1731-beyondtrust-remote-support-rce
- Threat Intelligence (X): hxxps[://]x[.]com/ethicalhack3r/status/2021870311377879136
- Original Article: hxxps[://]www[.]bleepingcomputer[.]com/news/security/critical-beyondtrust-rce-flaw-now-exploited-in-attacks-patch-now/