Critical BeyondTrust Vulnerability Exploited in Active Attacks
Cybersecurity researchers have identified active exploitation of a critical security flaw in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products. This vulnerability, designated as CVE-2026-1731 with a CVSS score of 9.9, allows unauthenticated attackers to execute remote code by sending specially crafted requests.
Ryan Dewhurst, head of threat intelligence at watchTowr, reported observing the first in-the-wild exploitation of this vulnerability across global sensors. Attackers are leveraging the ‘get_portal_info’ function to extract the ‘x-ns-company’ value before establishing a WebSocket channel.
BeyondTrust has acknowledged that successful exploitation could enable remote attackers to execute operating system commands as the site user, leading to unauthorized access, data exfiltration, and service disruption. The company has released patches to address this issue:
– Remote Support: Patch BT26-02-RS (versions 21.3 – 25.3.1)
– Privileged Remote Access: Patch BT26-02-PRA (versions 22.1 – 24.X)
All PRA versions 25.1 and later are not affected and do not require patching.
GreyNoise has also confirmed in-the-wild exploitation attempts of CVE-2026-1731, noting reconnaissance efforts targeting the vulnerability less than 24 hours after a proof-of-concept exploit became available. A single IP address, associated with a commercial VPN service in Frankfurt, accounts for 86% of observed reconnaissance sessions, indicating a rapid integration of this vulnerability into existing scanning operations.
This swift exploitation underscores the need for organizations to promptly apply patches to critical systems to mitigate potential threats.
In related developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation:
1. CVE-2026-20700 (CVSS score: 7.8): A memory buffer vulnerability in Apple iOS, macOS, tvOS, watchOS, and visionOS that could allow attackers with memory write capability to execute arbitrary code.
2. CVE-2025-15556 (CVSS score: 7.7): A vulnerability in Notepad++ that could allow attackers to intercept or redirect update traffic, leading to arbitrary code execution with user privileges.
3. CVE-2025-40536 (CVSS score: 8.1): A security control bypass in SolarWinds Web Help Desk that could allow unauthenticated attackers to access restricted functionality.
4. CVE-2024-43468 (CVSS score: 9.8): An SQL injection vulnerability in Microsoft Configuration Manager that could allow unauthenticated attackers to execute commands on the server or underlying database.
Microsoft patched CVE-2024-43468 in October 2024 as part of its Patch Tuesday updates. However, details on how this vulnerability is being exploited in real-world attacks remain unclear.
The rapid weaponization of vulnerabilities like CVE-2026-1731 highlights the shrinking window for defenders to patch critical systems. Organizations are urged to stay vigilant, apply security updates promptly, and monitor for any signs of exploitation to protect their systems and data.
