CVE-2026-1731
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability - [Actively Exploited]
Description
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
INFO
Published Date :
Feb. 6, 2026, 10:16 p.m.
Last Modified :
Feb. 17, 2026, 1:40 p.m.
Remotely Exploit :
Yes !
Source :
13061848-ea10-403d-bd75-c83a022c2891
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Detected Feb 26, 2026
Please adhere to the vendor's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible BeyondTrust products affected by this vulnerability. For more information please: see: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 ; https://nvd.nist.gov/vuln/detail/CVE-2026-1731
Affected Products
The following products are affected by CVE-2026-1731
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | 13061848-ea10-403d-bd75-c83a022c2891 | ||||
| CVSS 4.0 | CRITICAL | 13061848-ea10-403d-bd75-c83a022c2891 |
Solution
- Update BeyondTrust Remote Support to the latest version.
- Update Privileged Remote Access to the latest version.
Public PoC/Exploit Available at Github
CVE-2026-1731 has a 14 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-1731.
| URL | Resource |
|---|---|
| https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 | Permissions Required |
| https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 | Vendor Advisory |
| https://github.com/win3zz/CVE-2026-1731 | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731 | US Government Resource |
| https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731 | Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-1731 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-1731
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
CVE-2026-1731 — BeyondTrust Remote Code Execution Vulnerability
Python
None
None
Shell Python
None
CVE-2026-1731 PoC
beyondtrust cve-2026-1731 poc rce cve-2026
Rust
Passive vulnerability scanner for CVE-2026-1731 — BeyondTrust RS/PRA pre-auth RCE (CVSS 9.9). Educational & defensive use only.
beyondtrust cve-2026-1731 infosec passive-scanner security-tools vulnerability-scanner privileged-remote-access
Python
None
CVE-2026-1731 - Critical command injection vulnerability in BeyondTrust Remote Support and Privileged Remote Access due to unsafe Bash arithmetic evaluation in a WebSocket-reachable script
beyondtrust remote-access vulnerability-detection cve-2026-1731
Python
None
None
Python
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
bugbounty cve exp exploit payload poc rce vulnerability
Shell
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-1731 vulnerability anywhere in the article.
-
Daily CyberSecurity
Hackers Exploit Critical BeyondTrust Flaw to Deploy VShell and SparkRAT Across Multiple Sectors
A critical security flaw in a widely used enterprise access platform is under active attack, prompting urgent warnings from cybersecurity researchers and federal agencies alike. According to a new thr ... Read more
-
The Hacker News
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration
Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of ... Read more
-
security.nl
Kritiek lek in BeyondTrust Remote Support gebruikt bij ransomware-aanvallen
Een kritieke kwetsbaarheid in BeyondTrust Remote Support en BeyondTrust Privileged Remote Access wordt gebruikt bij ransomware-aanvallen, aldus het Amerikaanse cyberagentschap CISA. Via BeyondTrust Re ... Read more
-
CybersecurityNews
Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT
A critical vulnerability in BeyondTrust’s remote support software is being actively exploited by hackers to deliver dangerous backdoors on compromised systems. The flaw, tracked as CVE-2026-1731, carr ... Read more
-
The Hacker News
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware
This week’s recap shows how small gaps are turning into big entry points. Not always through new exploits, often through tools, add-ons, cloud setups, or workflows that people already trust and rarely ... Read more
-
CybersecurityNews
FileZen File Transfer App Vulnerability Enables Arbitrary Command Execution
FileZen File Transfer App Vulnerability A critical vulnerability has been discovered in the file transfer solution from Soliton Systems K.K., potentially allowing attackers to execute arbitrary system ... Read more
-
CybersecurityNews
CISA Warns of ZLAN ICS Devices Vulnerabilities Allows Complete Device Takeover
ZLAN ICS Devices Vulnerabilities An alert regarding two critical vulnerabilities found in ZLAN Information Technology Co.’s ZLAN5143D industrial communication device. According to the advisory (ICSA-2 ... Read more
-
Help Net Security
Google patches Chrome vulnerability with in-the-wild exploit (CVE-2026-2441)
Google released a security update for Chrome to address a high-severity zero‑day vulnerability (CVE-2026-2441) on Friday. “Google is aware that an exploit for CVE-2026-2441 exists in the wild,” the co ... Read more
-
CybersecurityNews
Critical BeyondTrust Vulnerability Exploited in the Wild to Gain Full Domain Control
BeyondTrust Vulnerability Exploit A critical vulnerability tracked as CVE-2026-1731 is being actively exploited in the wild, enabling attackers to gain full domain control over affected systems. Threa ... Read more
-
Help Net Security
Week in review: Exploited newly patched BeyondTrust RCE, United Airlines CISO on building resilience
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: United Airlines CISO on building resilience when disruption is inevitable In this Help Net Security in ... Read more
-
Daily CyberSecurity
Exploited in the Wild: Critical BeyondTrust Flaw (CVSS 9.9) Opens Door to Network Takeover
Image: win3zz A critical vulnerability in widely used remote access software is currently under active attack, with threat actors using the flaw to plant backdoors and scout corporate networks. Arctic ... Read more
-
Help Net Security
Hackers probe, exploit newly patched BeyondTrust RCE flaw (CVE-2026-1731)
Attackers are exploiting a recently patched critical vulnerability (CVE-2026-1731) in internet-facing BeyondTrust Remote Support and Privileged Remote Access instances. “Attackers are abusing get_port ... Read more
-
security.nl
Kritiek lek in BeyondTrust Remote Support actief misbruikt bij aanvallen
Aanvallers maken actief misbruik van een kritieke kwetsbaarheid in BeyondTrust Remote Support, zo waarschuwen securitybedrijven. Op 6 februari verscheen een beveiligingsupdate voor het probleem. Via B ... Read more
-
The Hacker News
Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability
Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr. "Overni ... Read more
-
TheCyberThrone
Microsoft Patch Tuesday February 2026
Microsoft’s February 2026 Patch Tuesday, released on February 9, 2026, addressed 58 vulnerabilities across Windows, Office, and other components, including six actively exploited zero-days.This update ... Read more
-
TheCyberThrone
BeyondTrust Remote Support Critical Vulnerability- CVE-2026-1731
February 10, 2026Vulnerability SummaryIdentifier: CVE-2026-1731Severity: Critical (CVSS 4.0 base score ~9.9)Type: Pre-authentication remote code execution (RCE) via OS command injectionAffected Softwa ... Read more
-
Help Net Security
BeyondTrust fixes easy-to-exploit pre-auth RCE vulnerability in remote access tools (CVE-2026-1731)
BeyondTrust fixed a critical remote code execution vulnerability (CVE-2026-1731) in its Remote Support (RS) and Privileged Remote Access (PRA) solutions and is urging self-hosted customers to apply th ... Read more
-
The Hacker News
BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA
BeyondTrust has released updates to address a critical security flaw impacting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could result in remote c ... Read more
-
Daily CyberSecurity
“JackMa” & ShadowGuard: TGR-STA-1030 Spies on 37 Nations via Linux Rootkit
Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025 | Image: Unit 42 A massive, state-aligned cyber espionage campaign has quietly infiltrated government networks acro ... Read more
-
Daily CyberSecurity
CVE-2026-1731: Critical BeyondTrust Flaw (CVSS 9.9) Allows Pre-Auth RCE
BeyondTrust has issued a critical security alert for its popular remote access solutions, warning of a near-maximum severity vulnerability that could allow hackers to seize control of systems without ... Read more
The following table lists the changes that have been made to the
CVE-2026-1731 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Feb. 17, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:beyondtrust:privileged_remote_access:*:*:*:*:*:*:*:* versions up to (excluding) 25.1 *cpe:2.3:a:beyondtrust:remote_support:*:*:*:*:*:*:*:* versions up to (excluding) 25.3.2 Added Reference Type BeyondTrust: https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 Types: Permissions Required Added Reference Type BeyondTrust: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731 Types: US Government Resource Added Reference Type CISA-ADP: https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731 Types: Third Party Advisory Added Reference Type CISA-ADP: https://github.com/win3zz/CVE-2026-1731 Types: Exploit, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 14, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731 Added Reference https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 13, 2026
Action Type Old Value New Value Added Reference https://github.com/win3zz/CVE-2026-1731 -
New CVE Received by 13061848-ea10-403d-bd75-c83a022c2891
Feb. 06, 2026
Action Type Old Value New Value Added Description BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-78 Added Reference https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 Added Reference https://www.beyondtrust.com/trust-center/security-advisories/bt26-02