BeyondTrust: BeyondTrust Remote Access Products 0-Day Vulnerability Allows Remote Code Execution

Critical Zero-Day Vulnerability in BeyondTrust Remote Access Platforms Exposes Enterprises to RCE Attacks

BeyondTrust has disclosed a severe pre-authentication remote code execution (RCE) vulnerability, CVE-2026-1731, affecting its Remote Support (RS) and Privileged Remote Access (PRA) platforms. The flaw, classified as an OS command injection (CWE-78), allows unauthenticated attackers to execute arbitrary commands on vulnerable systems without requiring credentials or user interaction.

The vulnerability poses a high-risk threat to enterprise environments, as successful exploitation could lead to full system compromise, data exfiltration, service disruption, and lateral movement within networks. Given BeyondTrust’s widespread use in privileged access management, the impact extends across organizational infrastructures.

Affected Versions & Patch Availability

• Remote Support (RS): Versions 25.3.1 and earlier are vulnerable.
• Privileged Remote Access (PRA): Versions 24.3.4 and prior are affected.

BeyondTrust deployed automatic patches for SaaS customers on February 2, 2026, fully remediating the issue. However, self-hosted customers must manually apply fixes:

• Remote Support: Patch BT26-02-RS (or upgrade to 25.3.2+).
• Privileged Remote Access: Patch BT26-02-PRA (or upgrade to 25.1.1+).
• Legacy systems (RS <21.3 or PRA <22.1) must first upgrade to a supported version before patching.

Discovery & Disclosure

The vulnerability was identified by Harsh Jaiswal and the Hacktron AI team using AI-driven variant analysis. BeyondTrust praised their responsible disclosure, allowing the company to develop and deploy patches before public exploitation occurred. No active attacks have been reported at this time.

Source: https://cybersecuritynews.com/beyondtrust-remote-access-products-0-day-vulnerability/

BeyondTrust cybersecurity rating report: https://www.rankiteo.com/company/beyondtrust

"id": "BEY1770457908",
"linkid": "beyondtrust",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Enterprises using BeyondTrust '
                                              'Remote Support (RS) and '
                                              'Privileged Remote Access (PRA) '
                                              'platforms',
                        'industry': 'Cybersecurity, Privileged Access '
                                    'Management',
                        'name': 'BeyondTrust',
                        'type': 'Vendor'}],
 'attack_vector': 'Remote',
 'customer_advisories': 'SaaS customers automatically patched; self-hosted '
                        'customers must apply manual fixes.',
 'data_breach': {'data_exfiltration': 'Potential'},
 'date_detected': '2026-02-02',
 'date_resolved': '2026-02-02',
 'description': 'BeyondTrust has disclosed a severe pre-authentication remote '
                'code execution (RCE) vulnerability, CVE-2026-1731, affecting '
                'its Remote Support (RS) and Privileged Remote Access (PRA) '
                'platforms. The flaw, classified as an OS command injection '
                '(CWE-78), allows unauthenticated attackers to execute '
                'arbitrary commands on vulnerable systems without requiring '
                'credentials or user interaction. The vulnerability poses a '
                'high-risk threat to enterprise environments, as successful '
                'exploitation could lead to full system compromise, data '
                'exfiltration, service disruption, and lateral movement within '
                'networks.',
 'impact': {'data_compromised': 'Potential data exfiltration',
            'downtime': 'Potential service disruption',
            'operational_impact': 'Full system compromise, lateral movement '
                                  'within networks',
            'systems_affected': 'BeyondTrust Remote Support (RS) and '
                                'Privileged Remote Access (PRA) platforms'},
 'investigation_status': 'Resolved',
 'post_incident_analysis': {'corrective_actions': 'Automatic and manual '
                                                  'patching, version upgrades, '
                                                  'and responsible disclosure '
                                                  'process.',
                            'root_causes': 'Pre-authentication OS command '
                                           'injection vulnerability '
                                           '(CVE-2026-1731)'},
 'recommendations': 'Apply patches BT26-02-RS or BT26-02-PRA, upgrade to '
                    'supported versions, and ensure legacy systems are updated '
                    'before patching.',
 'references': [{'source': 'BeyondTrust Disclosure'},
                {'source': 'Harsh Jaiswal and Hacktron AI Team'}],
 'response': {'containment_measures': 'Automatic patches for SaaS customers, '
                                      'manual patches for self-hosted '
                                      'customers',
              'remediation_measures': 'Patches BT26-02-RS and BT26-02-PRA, '
                                      'upgrades to versions 25.3.2+ (RS) and '
                                      '25.1.1+ (PRA)'},
 'title': 'Critical Zero-Day Vulnerability in BeyondTrust Remote Access '
          'Platforms Exposes Enterprises to RCE Attacks',
 'type': 'Zero-Day Vulnerability',
 'vulnerability_exploited': 'CVE-2026-1731 (OS command injection, CWE-78)'}