CVE-2026-1731: RCE Risk in BeyondTrust RS and PRA

BeyondTrust has disclosed CVE-2026-1731, a vulnerability that enables Remote Code Execution (RCE) in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). Early reporting indicates that a meaningful number of deployments are internet-facing, increasing the likelihood of opportunistic scanning once technical details become more widely understood.

This post outlines what CVE-2026-1731 is, which versions are affected, what is known about exploitation and proof-of-concept activity, and the immediate steps defenders should take.

What Is CVE-2026-1731?

CVE-2026-1731 (CVSSv4 9.9) is an unauthenticated OS command injection vulnerability (CWE-78). An attacker can send specially crafted requests that result in operating system command execution as the site user, without requiring valid credentials.

Details of CVE-2026-1731 (SOCRadar Vulnerability Intelligence)

The risk is straightforward but severe. When a pre-authentication flaw exists in remote access infrastructure, network reachability alone can be enough to escalate into code execution. Any exposed interface effectively becomes an entry point.

Why This Vulnerability Matters in Remote Access Environments

BeyondTrust RS and PRA commonly sit at the boundary between internal systems and external users, including contractors, partners, and help desk workflows. That placement makes them attractive targets even when exploitation results in execution under a non-root service account.

In practice, an initial foothold in a remote access platform can support follow-on activity such as credential harvesting, abuse of active sessions, or lateral movement, depending on how the appliance is integrated into the broader environment.

Which BeyondTrust RS and PRA Versions Are Affected?

BeyondTrust’s advisory identifies the affected version ranges as:

Remote Support (RS): 25.3.1 and prior

Privileged Remote Access (PRA): 24.3.4 and prior

Which Versions Contain the Fix?

RS: Apply Patch BT26-02-RS or upgrade to RS 25.3.2 or later
PRA: Apply Patch BT26-02-PRA or upgrade to PRA 25.1.1 or later

What If You Are on an Older Major Train?

BeyondTrust notes a gating requirement for older deployments:

RS versions earlier than 21.3 and PRA versions earlier than 22.1 must upgrade first before the patch can be applied.

That detail matters for vulnerability managers because it can turn a “patch now” event into an expedited upgrade project.

Is CVE-2026-1731 Being Exploited in the Wild?

As of February 10, 2026, there are no reports of active exploitation. BeyondTrust has stated that it was not aware of in-the-wild abuse at the time of disclosure.

Still, the absence of confirmed exploitation should not reduce urgency. Pre-authentication RCE vulnerabilities in exposed systems tend to attract rapid scanning once reliable detection logic or exploit primitives become available.

Is There a Public PoC for CVE-2026-1731?

Public discussion around CVE-2026-1731 has included early tooling and detection-oriented checks, but widely shared references generally look closer to assessment or scanning scripts than a full exploit.

Several write-ups emphasize that exploit details are being deliberately withheld to allow defenders time to remediate. Historically, this pattern often results in early scanner development, followed by more complete offensive tooling once patches are widely available.

Track the latest CVEs and hacker trends with SOCRadar’s Vulnerability Intelligence

For organizations managing large or complex environments, tracking exposure and remediation status across internet-facing assets can be challenging during fast-moving vulnerability disclosures.

SOCRadar’s Cyber Threat Intelligence and Attack Surface Management capabilities help security teams identify exposed instances, track vulnerability-related risk across external assets, and prioritize remediation based on real-world exposure. By combining asset discovery with vulnerability context, teams can quickly understand where action is required and validate that critical systems are no longer reachable.

Active Exploitation of BeyondTrust CVE-2026-1731 Triggers CISA Warning

Threat actors are actively exploiting CVE-2026-1731, as researchers at watchTowr have observed attackers abusing the get_portal_info function to extract sensitive values before opening a WebSocket channel. GreyNoise confirmed scanning activity surged within 24 hours of a public PoC release, with one Frankfurt-based VPN-linked IP responsible for 86% of reconnaissance traffic. Around 11,000 internet-exposed instances are believed to be at risk.

Following indicators of exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch by February 16, 2026.

What Should Defenders Do Now to Reduce Risk?

Start with actions that reduce exposure quickly and verify remediation with evidence.

Confirm Your Hosting Model and Patch Status

SaaS-hosted RS/PRA: BeyondTrust states it patched all SaaS customers as of February 2, 2026.
Self-hosted/on-prem: You need to apply the patch or upgrade to a fixed release.

Patch or Upgrade Immediately (On-Prem)

RS: Apply BT26-02-RS or upgrade to 25.3.2+
PRA: Apply BT26-02-PRA or upgrade to 25.1.1+
If you are on RS < 21.3 or PRA < 22.1, plan the required intermediate upgrade so you can apply the patch.

Prioritize Internet-Facing Instances First

Exposure analysis estimated roughly 11,000 internet-exposed instances overall, with about 8,500 described as on-prem deployments that may remain vulnerable if patches aren’t applied. Whether or not those figures precisely match your environment, the prioritization logic is clear: remediate externally reachable RS and PRA systems first, then address internal-only deployments.