The U.S. Cybersecurity and Infrastructure Security Agency issued a CISA alert on Friday ordering federal agencies to secure BeyondTrust Remote Support instances by the end of Monday, February 16, after the vulnerability tracked as CVE-2026-1731 was added to its Known Exploited Vulnerabilities catalog, the alert said.
KEY FACTS
- Vulnerability CVE-2026-1731 is a remote code execution flaw from an OS command injection
- Affected software Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier
- Exposure About 11,000 Remote Support instances were exposed online, with roughly 8,500 on-premises
- Deadline Federal Civilian Executive Branch agencies must secure instances by February 16 under BOD 22-01
All Remote Support and Privileged Remote Access SaaS instances were patched on February 2. On-premises customers must install fixes manually. The vendor posted updates on February 6 in the security advisory.
The flaw stems from an OS command injection and allows unauthenticated remote execution of operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and can lead to system compromise including unauthorized access, data exfiltration, and service disruption.
The alert added the flaw to the Known Exploited Vulnerabilities catalog after public reports of active exploitation. The directive requires agencies to apply vendor mitigations or discontinue use of the product if mitigations are unavailable.
WHY IT MATTERS
The flaw is exploitable without authentication and was observed in active attacks, increasing the risk of compromise for unpatched systems. Federal and on-premises customers should apply available updates immediately and assume unpatched devices may be compromised.