BeyondTrust said in an advisory released February 6, 2026 that Remote Support and certain older Privileged Remote Access products contain a critical pre-authentication remote code execution vulnerability tracked as CVE-2026-1731 and rated 9.9 CVSS.
KEY FACTS
- Incident Critical pre-auth remote code execution, CVE-2026-1731
- Affected Remote Support 25.3.1 and prior, Privileged Remote Access 24.3.4 and prior
- Severity CVSS 9.9
- Fix RS patched in 25.3.2 and later, PRA patched in 25.1.1 and later
The flaw is an operating system command injection that can be triggered by specially crafted requests. Successful exploitation may allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, enabling unauthorized access, data exfiltration and service disruption.
Affected releases include Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier. The vulnerability is patched by BT26-02-RS for Remote Support and BT26-02-PRA for Privileged Remote Access, with versions 25.3.2 and later for RS and 25.1.1 and later for PRA receiving fixes.
Self-hosted customers must manually apply the patch if their instance does not receive automatic updates. Instances running Remote Support older than 21.3 or Privileged Remote Access older than 22.1 must be upgraded to reach a patchable release. PRA self-hosted instances may upgrade to 25.1.1 or newer to remediate.
A technical analysis by Hacktron AI, dated January 31, 2026, lists about 11,000 internet-exposed instances, of which roughly 8,500 were on-prem deployments. Additional technical details have been withheld to allow users time to apply patches.
WHY IT MATTERS
The vulnerability carries very high severity and appears in internet-exposed and on-prem deployments, so applying the supplied patches or upgrading affected installations is necessary to reduce the risk of compromise and service disruption.