BeyondTrust addresses critical pre‑auth RCE vulnerability

Threat summary

On February 6, 2026, BeyondTrust released an advisory detailing a critical remote code execution (RCE) vulnerability affecting Remote Support and Privileged Remote Access. These platforms provide remote access and support capabilities across enterprise environments and are widely used to troubleshoot systems, manage privileged sessions, and support distributed workforces.

The issue, tracked as CVE‑2026‑1731, results from a command injection flaw, and allows threat actors to execute operating system (OS) commands through malicious client requests. The result is unauthenticated remote code execution in the context of the site user; meaning the code runs with the same privileges as the appliance’s internal service account used to operate core functions. Exploitation requires no user interaction. The flaw received a Common Vulnerability Scoring System (CVSS) rating of 9.9. The worst‑case scenario includes full compromise of exposed appliances, unauthorized access, and data exfiltration.

All Remote Support software‑as‑a‑service (SaaS) and Privileged Remote Access SaaS environments received the fix on February 2, 2026. Self‑hosted deployments require manual patching if automatic updates are not enabled in the appliance interface. Self‑hosted Privileged Remote Access customers can also remediate the vulnerability by upgrading to version 25.1.1 or later.

There is no current information on active exploitation in the wild, and no proof‑of‑concept exploit has been publicly confirmed at the time of reporting.

Analysis & mitigation

With security flaws in BeyondTrust having been exploited previously, applying the latest updates would be an essential part of reducing exposure. Field Effect MDR users were alerted via ARO if vulnerable systems were detected in their environment.

Organizations using BeyondTrust Remote Support or Privileged Remote Access are advised to manually apply the latest updates for on‑premises appliances. Cloud customers will have already received the updates.

Remote Support (version 21.3 and earlier) and Privileged Remote Access (version 22.1 and earlier) instances must be upgraded to a supported release before applying the fix. The security fix for CVE-2026-1731 relies on updates and architectural changes introduced in later product branches, and these earlier versions do not contain the underlying components needed for the patch to apply cleanly.

Privileged Remote Access version 25.1.1 and later contains the corrected code for CVE-2026-1731. Customers on these versions do not need to apply the standalone patch, as the vulnerability is resolved as part of the product release. For self-hosted environments, upgrading to 25.1.1 or later provides a direct remediation path in cases where applying the patch to an older supported branch is not preferred.

Reducing external exposure of these systems, validating that only necessary interfaces are internet-accessible, and reviewing authentication and access controls provides additional risk reduction.

Security teams are encouraged to review logs for anomalous client requests targeting Remote Support or Privileged Remote Access endpoints. Network monitoring for unexpected command execution or privilege escalation activity on these systems supports early detection.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up