CVE-2026-1731

CriticalCISA KEVActive ExploitationPublic PoCRansomware-linked

Published: 06 February 2026

Published

06 February 2026

Modified

17 February 2026

KEV Added

13 February 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8150 99.2th percentile

Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Description

BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the…

context of the site user.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of critical flaws like CVE-2026-1731 via patching instructions from BeyondTrust advisories.

SI-10 Information Input Validation good match

prevent

Validates specially crafted pre-authentication requests to block OS command injection (CWE-78) exploitation.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies CVE-2026-1731 in affected BeyondTrust RS and PRA versions for prioritized remediation.

Security SummaryAI

CVE-2026-1731 is a critical pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). Classified under CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables an unauthenticated remote attacker to execute operating system commands in the context of the site user by sending specially crafted requests.

An unauthenticated attacker with network access can exploit this vulnerability without privileges or user interaction. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, allowing arbitrary OS command execution as the site user, potentially leading to full system compromise on affected BeyondTrust installations.

BeyondTrust has published security advisories detailing the issue, including KB0023293 and BT26-02, which likely outline affected versions and patching instructions. A proof-of-concept is available on GitHub, and reconnaissance activity has been observed as noted by GreyNoise.

This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating active real-world exploitation. Security practitioners should prioritize patching and monitor for related indicators.

Details

CWE(s): CWE-78
KEV Date Added: 13 February 2026

Affected Products

beyondtrust

privileged remote access

≤ 25.1

beyondtrust

remote support

≤ 25.3.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1731 is a pre-authentication RCE via OS command injection in a public-facing remote support application, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293
Permissions Required · 13061848-ea10-403d-bd75-c83a022c2891
https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
Vendor Advisory · 13061848-ea10-403d-bd75-c83a022c2891
https://github.com/win3zz/CVE-2026-1731
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0