Security analysts reported in a GreyNoise blog post that overnight they observed in-the-wild exploitation attempts for CVE-2026-1731 targeting BeyondTrust Remote Support and Privileged Remote Access. The flaw has a CVSS score of 9.9 and can permit unauthenticated remote code execution.
KEY FACTS
- Incident Active exploitation attempts observed for CVE-2026-1731 against BeyondTrust products
- Severity CVSS 9.9 allowing unauthenticated remote code execution
- Patches Remote Support patched by BT26-02-RS for v21.3 through 25.3.1; PRA patch BT26-02-PRA covers v22.1 through 24.x; PRA v25.1 and later do not require patching
- Reconnaissance A single IP accounted for about 86% of observed scans, linked to a commercial VPN provider in Frankfurt
Attackers probe the get_portal_info endpoint to extract the x-ns-company header before establishing a WebSocket channel. Successful exploitation can allow an unauthenticated actor to execute operating system commands in the context of the site user, risking unauthorized access, data exfiltration, and service disruption.
Reconnaissance activity began within hours of a public proof of concept. The report shows fast weaponization of the flaw and concentrated scanning from a small set of sources, reducing the window for defenders to patch exposed systems.
BeyondTrust has released patches for affected versions. Administrators are advised to apply the Remote Support and Privileged Remote Access updates listed by the vendor and to verify that PRA instances on version 25.1 or later are not vulnerable.
A CISA advisory also lists four additional vulnerabilities in the Known Exploited Vulnerabilities catalog, including CVE-2026-20700 and CVE-2024-43468, reflecting ongoing active exploitation across multiple products.
WHY IT MATTERS
Rapid exploitation of this high severity vulnerability shows how quickly publicly disclosed flaws can be weaponized, shortening the time available for patching and increasing risk to internet‑exposed infrastructure.