CVE-2026-1731: BeyondTrust RS/PRA Pre-Auth OS Command Injection (RCE)

Read more about “CVE-2026-1731” and the most important cybersecurity news to stay up to date with

What is CVE-2026-1731?

CVE-2026-1731 is a pre-authentication OS command injection flaw that can lead to remote code execution in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). BeyondTrust states that an unauthenticated attacker can trigger the issue using specially crafted client requests, resulting in OS command execution in the context of the site user.
Because it is pre-auth and network-reachable, exposed self-hosted appliances are at the highest risk if not patched. BeyondTrust’s advisory also notes observed exploitation attempts against internet-facing, self-hosted environments that remained unpatched before February 9, 2026.


 What is Affected By CVE-2026-1731?

CVE-2026-1731 affects specific RS and PRA version ranges, with clear vendor-published “affected” and “fixed” cutoffs. According to BeyondTrust, the affected versions are:

  • BeyondTrust Remote Support (RS): 25.3.1 and prior

  • BeyondTrust Privileged Remote Access (PRA): 24.3.4 and prior

BeyondTrust also indicates that customers on very old releases may not be able to apply the patch directly and must upgrade first:

  • RS versions older than 21.3 must upgrade to a newer version to apply the remediation.

  • PRA versions older than 22.1 must upgrade to a newer version to apply the remediation.

Mitigation and Remediation For CVE-2026-1731

The primary remediation for CVE-2026-1731 is to apply BeyondTrust’s BT26-02 patches or upgrade to fixed releases immediately—especially for self-hosted, internet-exposed deployments. BeyondTrust reports that SaaS instances were patched automatically as of February 2, 2026, while self-hosted customers must ensure they have applied the update (manually if not subscribed to the update service).

Recommended remediation actions:

  • Remote Support (RS):

    • Apply Patch BT26-02-RS for v21.3 through 25.3.1, or

    • Upgrade to RS 25.3.2 and greater

  • Privileged Remote Access (PRA):

    • Apply Patch BT26-02-PRA for v22.1 through 24.X, or

    • Upgrade to PRA 25.1 and greater

Operational mitigations and compensating controls (useful while patching/testing):

  • Remove direct internet exposure (place RS/PRA behind a VPN, trusted reverse proxy, or dedicated access gateway) and restrict inbound access to known admin networks.

  • Add WAF/reverse proxy rules to limit unexpected request patterns and enforce authentication controls at the edge (where applicable).

  • Increase monitoring for anomalous process execution on the appliance and unusual outbound connections; BeyondTrust notes exploitation activity focused on internet-facing, unpatched self-hosted environments.

  • If you were unpatched and internet-exposed past February 9, 2026, treat this as potential incident response: BeyondTrust explicitly urges immediate action and support engagement for those cases.

Impact of Successful Exploitation of CVE-2026-1731

Successful exploitation can allow attackers to run OS commands without credentials, potentially leading to rapid takeover of systems and privileged remote access pathways. BeyondTrust’s advisory highlights outcomes such as unauthorized access, data exfiltration, and service disruption.

Realistic impacts to plan for include:

  • Remote command execution in the context of the site user, which may enable follow-on actions depending on local permissions and environment configuration.

  • Credential and session theft opportunities if attackers can access configuration, logs, or secrets on the appliance/host.

  • Persistence and lateral movement: Arctic Wolf reports observing post-compromise activity patterns in incidents tied to suspected exploitation, including persistence tooling, discovery, and lateral movement behaviors.

  • Increased targeting pressure: GreyNoise observed reconnaissance and probing shortly after public PoC availability, which typically precedes broader exploitation attempts.

Proof of Concept for CVE-2026-1731

Public technical research and PoC references exist for CVE-2026-1731, and defenders should assume opportunistic scanning once details are available. GreyNoise reports that a PoC was posted to GitHub and that reconnaissance began quickly afterward. Arctic Wolf also links a GitHub PoC reference in its update.


To keep this section non-weaponized and focused on defensive validation, below are minimal examples you can use to inventory exposure and verify fixed versions (without sending exploit payloads):

 
# 1) Inventory: identify hosts exposing BeyondTrust RS/PRA on expected ports
# Replace targets.txt with your IPs/hostnames (one per line).
nmap -iL targets.txt -sV -p 443,8443,10443 --open

# 2) Capture basic HTTP headers (often useful for identifying appliances behind proxies)
# (Does NOT attempt exploitation.)
while read -r host; do
echo "== $host =="
curl -k -sI "https://$host/" | egrep -i 'server:|set-cookie:|location:|www-authenticate:'
done < targets.txt

 
# 3) Version confirmation (preferred): use BeyondTrust’s fixed-version guidance to confirm
# you are on RS 25.3.2+ or PRA 25.1+ OR have applied BT26-02 patches.
# This snippet is a reminder checklist, not an exploit test.

echo "Confirm from appliance/admin UI or release info:"
echo "- RS: 25.3.2+ OR Patch BT26-02-RS applied (v21.3–25.3.1)"
echo "- PRA: 25.1+ OR Patch BT26-02-PRA applied (v22.1–24.X)"


If you need deeper validation, prefer vendor-supported methods (appliance UI/version page, update service status, and patch confirmation) over “exploitability checks,” since active probing can create risk and legal/operational issues. For public research context (without reproducing exploit chains), consult BeyondTrust’s BT26-02 advisory and reputable threat research write-ups.

 

Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “CVE-2026-1731”  by clicking the links below

Scroll to Top