CVE-2026-1731 – BeyondTrust RCE Overview and Takeaways

BeyondTrust has disclosed a critical, pre-authentication remote code execution (RCE) vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, tracked as CVE-2026-1731. This flaw allows an unauthenticated remote attacker to execute operating system commands via specially crafted requests, potentially resulting in full system compromise.  

The vulnerability carries a CVSS v4 score of 9.9 (Critical) and requires no authentication or user interaction, significantly increasing risk for internet-facing and self-hosted deployments. 

What do I need to know? 

• Vulnerability: CVE-2026-1731 
• Severity: Critical (CVSS 9.9) 
• Attack Vector: Remote, unauthenticated 
• Root Cause: OS command injection (CWE-78)  
• Potential Impact 
  • Execution of arbitrary OS commands as the site user 
  • Unauthorized access to systems and sensitive data 
  • Data exfiltration, lateral movement, and service disruption 

Products and Systems Affected 

Impacted Products and Versions 

• BeyondTrust Remote Support (RS): 25.3.1 and earlier 
• BeyondTrust Privileged Remote Access (PRA): 24.3.4 and earlier 

What do I need to do? 

We recommend the following steps to identify and remediate this vulnerability: 

• Review and Audit 
  • SaaS Deployments: BeyondTrust has confirmed all RS and PRA SaaS instances were patched as of February 2, 2026.  
  • Self-Hosted Deployments: Hosted Deployments: 
    • Review and audit all self-hosted implementations of BeyondTrust Remote Support (RS) and BeyondTrust Privileged Remote Access (PRA).  
    • Confirm versions against vulnerable releases. 
    • Prioritize DMZ hosted and externally exposed systems, which face the highest risk. 
    • Manually patch if automatic updates are not enabled. 
• Patch Immediately 
  • Remote Support (RS): Upgrade to 25.3.2 or later or apply Patch BT26-02-RS 
  • Privileged Remote Access (PRA): Upgrade to 25.1.1 or later or apply Patch BT26-02-PRA 

NOTE: Customers running RS versions older than 21.3 or PRA versions older than 22.1 must first upgrade to a supported release. 

• Mitigation (If Patching Is Delayed) 
  • Restrict external access to RS/PRA appliances 
  • Enforce IP allowlisting and segmentation controls 
  • Increase monitoring for suspicious or malformed requests 
  • Further isolate remote access infrastructure from sensitive backend systems 

NetSPI Product and Services Coverage 

NetSPI can support customers by: 

• Identifying exposed and vulnerable BeyondTrust deployments 
• Assisting with patch planning and upgrade validation 
• Evaluating compensating controls and detection strategies 

NetSPI’s External Attack Surface Management has issued a detection mechanism for this CVE. The solution employs active exploitation with established safe payloads to assess the target system and identify vulnerable implementations. 

The current detection name is: BeyondTrust RS & PRA (CVE-2026-1731)

We are available to support vulnerability identification, continuous attack surface management, and point in time testing. Visit our website for more information. 

Additional Resources 

• BeyondTrust Advisory (BT26-02): https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
• CVE Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-1731