February 13th, 2026

Critical Pre-Authentication Remote Code Execution Vulnerability in BeyondTrust RS & PRA (CVE-2026-1731)

Critical

Our Cyber Threat Intelligence Unit is monitoring CVE-2026-1731, a critical pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The vulnerability allows unauthenticated attackers to execute operating system commands by sending specially crafted requests to vulnerable appliances. BeyondTrust disclosed the issue in February 2026 after the vulnerability was discovered on January 31, 2026 through AI-assisted variant analysis. Internet-accessible deployments present the highest exposure risk, particularly self-hosted appliances that have not applied vendor patches. BeyondTrust has released security updates to address the issue.

Technical Details

CVE: CVE-2026-1731
Severity: Critical (CVSS v4 9.9)
Affected Components:
- BeyondTrust Remote Support (RS): Version 25.3.1 and prior
- BeyondTrust Privileged Remote Access (PRA): Version 24.3.4 and prior

Attack Vector and Exploitation Mechanics:

Initial access:
- The vulnerability is exposed through network-accessible BeyondTrust RS and PRA services.
- An attacker can exploit vulnerable appliances without valid credentials.
- No authentication or prior access is required.
- Internet-exposed deployments present the highest risk.
Exploitation method:
- An unauthenticated attacker can send specially crafted requests to a vulnerable appliance.
- Successful exploitation allows execution of operating system commands in the context of the site user.
- The vulnerable code path is exposed pre-authentication, prior to identity verification.
Execution path:
- The RS/PRA application improperly handles crafted input, resulting in execution of operating-system commands on the underlying appliance.
- Successful command execution may allow attackers to interact with the appliance operating environment, subject to platform configuration and privilege boundaries.
Post-exploitation impact: Successful exploitation may allow attackers to perform actions including:
- Persistence:
  - Deployment of additional tooling or unauthorized access mechanisms
  - Modification of appliance configurations
- Data Access:
  - Attackers can gain access to sensitive configuration data or session-related information
  - Attackers can interact with and extract appliance logs or stored data
- Lateral Movement:
  - Use of the compromised RS/PRA system as a pivot point within the network
  - Targeting of connected or managed systems
- Service Disruption:
  - Termination or degradation of remote support services
  - Modification of critical application components
  - Operational outages affecting IT support and privileged access workflows

Impact

Organizations operating vulnerable BeyondTrust RS or PRA appliances face an elevated risk of unauthorized system access. Potential impacts include:

Remote command execution on security-sensitive infrastructure
Exposure of privileged access workflows or session data
Service disruption affecting remote support or administrative operations
Increased lateral movement opportunities within enterprise networks

Risk is highest where management or access interfaces are reachable from untrusted networks.

Detection Method

Organizations are advised to review the following sources and behaviors:

Network traffic for unusual patterns or anomalies that could indicate the presence of specially crafted requests targeting RS/PRA.
Firewall, IPS, or proxy logs for abnormal HTTP(S) requests targeting RS/PRA endpoints
- (e.g., unexpected POST requests, malformed headers, unusual payload sizes).
Unexpected command execution activity or anomalous process behavior on systems hosting BeyondTrust appliances.
Windows Event ID 4688 (process creation) and Sysmon Event ID 1 for abnormal child processes associated with BeyondTrust appliance components.
RS/PRA application logs for errors related to request parsing, unexpected input handling, or service crashes preceding suspicious activity.
Service account misuse, including execution activity outside normal maintenance windows.

Indicators of Compromise

There are no Indicators of Compromise Observed.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Apply vendor patches immediately:
- Remote Support (RS): Update to 25.3.2 or later
- Privileged Remote Access (PRA): Update to 25.1.1 or later
Upgrade unsupported versions: Deployments running RS versions earlier than 21.3 or PRA versions earlier than 22.1 must upgrade to a supported release before applying patches.
Restrict external exposure:
- Avoid direct internet exposure of management or access interfaces
- Enforce network-level access controls and IP allowlisting where feasible
Strengthen monitoring:
- Review appliance logs and surrounding security telemetry
- Investigate anomalous request or execution behavior
Validate appliance integrity: Assess systems for unauthorized changes or suspicious activity

Conclusion

CVE-2026-1731 is a critical pre-authentication remote code execution risk affecting BeyondTrust Remote Support and Privileged Remote Access appliances. Given the security-sensitive role of these systems, we urge organizations to prioritize patching, restrict unnecessary exposure, and monitor for anomalous activity to reduce the likelihood of compromise.

References

https://www.rapid7.com/blog/post/etr-cve-2026-1731-critical-unauthenticated-remote-code-execution-rce-beyondtrust-remote-support-rs-privileged-remote-access-pra/?utm_source=marketo&utm_medium=email&utm_content=beyondtrust&utm_campaign=global-pla-etr-comms-customer-eng

https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html

https://www.cvedetails.com/cve/CVE-2026-1731/

https://www.beyondtrust.com/trust-center/security-advisories/bt26-02