- February 4, 2026
Critical Vulnerability (CVE-2026-1731) in Beyond Trust Under Active Exploitation
On February 4, 2025, Beyond Trust reported in their Customer Portal that a critical vulnerability was discovered affecting the Remote Support (RS) and Privileged Remote Access (PRA) products. CVE-2026-1731 and a CVSS score of 9.9 have now been assigned to this vulnerability and is under active exploitation.
Executive Summary
Update: 2/13/2026: Active exploitation of this vulnerability has been reported in the wild following public disclosure of proof of concept code. Threat actors have been observed deploying remote management tools for persistence after exploitation, and conducting further lateral movement into victim environments.
A critical pre-authentication remote code execution vulnerability within BeyondTrust Remote Support and certain versions of Privileged Remote Access Products has now been assigned CVE-2026-1731 with a critical CVSS score of 9.9.
Given the internet-facing nature of these systems, confirmed active exploitation in the wild, and the public availability of proof-of-concept exploit code, Beazley Security strongly recommends that affected organizations running self hosted versions immediately apply patches to vulnerable systems.
On February 4, 2025, Beyond Trust reported in their Customer Portal that a critical vulnerability was discovered affecting the Remote Support (RS) and Privileged Remote Access (PRA) products. At time of writing, there was no CVE assigned and no public information on the vulnerability, but it is being tracked by the vendor as BT26-02. Beyond Trust published more information for customers in a non-public Knowledge Article.
The Remote Support and Privileged Remote Access products facilitate remote access to a wide range of end point types, and these products are typically deployed internet facing by design. As such, a breach of these products can give threat actors not only initial access into an organizations network, but immediate control of internal hosts. Given the urgency communicated by the vendor and the high risk of this type of product being compromised, organizations are urged to update their affected systems as soon as possible.
Affected Systems or Products
Product | Affected Version | Fixed Version |
Remote Support (RS) | 25.3.1 and prior | 25.3.2 |
Privileged Remote Access (PRA) | 24.3.4 and prior | 24.3.5 |
Note: Customers running SaaS versions of the software were automatically patched February 2, 2026
Patches
For SaaS deployments of Remote Support and Privileged Remote Access, patch BT26-02-RS or BT26-02-PRA has automatically been applied. Customers using hosted or managed versions of these products should already be covered but should also check their servers to verify.
For on-premises solutions, patch BT26-02-RS and BT26-02-PRA have been released to mitigate this vulnerability. Further details can be found within the Knowledge Article Portal.
Indicators of Compromise
Active exploitation of CVE-2026-1731 has been observed in the wild following the availability of proof of concept exploit code. According to Arctic Wolf, threat actors have been observed:
Deploying renamed SimpleHelp remote management tool binaries with names including "remote access.exe"
Adding domain accounts via net commands:
net user REDACTED_USERNAME REDACTED_PASSWORD /add /domain
net group \”enterprise admins\” REDACTED_USERNAME /add /domain
net group \”domain admins\” REDACTED_USERNAME /add /domain
Pushing SimpleHelp installations to move laterally across the network with PSexec
Technical Details
CVE-2026-1731 is a command injection flaw within BeyondTrust Remote Support and Privileged Remote Access systems allowing a remote attacker to run remote commands on the software without requiring any authentication.
According to an analysis by Rapid7, the flaw appears to exist in how the application processes requests to its web services, which can be maliciously crafted to embed commands that will be run in the context of the application by attackers.
Specifically, the analysis calls out a flaw in Bash based validation checks within thin-scc-wrapper, a script on the server that checks remote software version numbers and is used when communicating to the application. A malicious 'version number', or command, can be injected within a crafted websocket request resulting in execution of arbitrary OS commands.
Given the critical nature of this pre-authentication remote code execution vulnerability, confirmed active exploitation in the wild, and demonstrated proof-of-concept code, self-hosted customers should patch immediately.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.