Full Report
Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr. "Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors," Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. "Attackers are abusing
Analysis Summary
# Vulnerability: BeyondTrust Remote Support and Privileged Remote Access Pre-Auth RCE
## CVE Details
- **CVE ID:** CVE-2026-1731
- **CVSS Score:** 9.9 (Critical)
- **CWE:** Not specified in the article (Technical description suggests Command Injection/Remote Code Execution)
## Affected Systems
- **Products:**
- BeyondTrust Remote Support (RS)
- BeyondTrust Privileged Remote Access (PRA)
- **Versions:**
- OS versions prior to 25.3.2 (Remote Support)
- OS versions prior to 25.1.1 (Privileged Remote Access)
- **Configurations:** Systems exposed to the internet; specifically, those with the `get_portal_info` endpoint accessible.
## Vulnerability Description
CVE-2026-1731 is a critical pre-authentication vulnerability. Attackers can trigger the flaw by sending specially crafted requests to the appliance. The vulnerability involves abusing the `get_portal_info` function to extract sensitive information (specifically the `x-ns-company` value) before establishing a WebSocket channel. This sequence allows an unauthenticated attacker to execute operating system commands in the context of the site user.
## Exploitation
- **Status:** **Exploited in the wild.** Global sensors have observed threat actors weaponizing the flaw immediately following disclosure.
- **Complexity:** Low (Targeted pre-auth endpoints)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Unauthorized access and data exfiltration)
- **Integrity:** High (Arbitrary OS command execution)
- **Availability:** High (Service disruption)
## Remediation
### Patches
BeyondTrust has released the following security updates to address this flaw:
- **Remote Support:** Apply Patch BT26-02-RS or upgrade to version **25.3.2** and later.
- **Privileged Remote Access:** Apply Patch BT26-02-PRA or upgrade to version **25.1.1** and later.
### Workarounds
The article does not specify any official workarounds; immediate patching is recommended given the active exploitation and the "Critical" severity.
## Detection
- **Indicators of Compromise:**
- Unusual requests to the `get_portal_info` endpoint.
- Identification of anomalous `x-ns-company` value extractions in web logs.
- Subsequent unauthorized WebSocket connections from the same source IP.
- **Detection methods and tools:**
- Monitor appliance logs for commands executed in the context of the site user.
- Inspect outbound traffic for evidence of data exfiltration following unusual portal info requests.
## References
- BeyondTrust Advisory (Referenced): hxxps[://]thehackernews[.]com/2026/02/beyondtrust-fixes-critical-pre-auth-rce[.]html
- WatchTowr Intelligence: hxxps[://]x[.]com/ethicalhack3r/status/2021870311377879136
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog