BeyondTrust Remote Support / Privileged Remote Access, pre-authentication OS command injection RCE

Overview

CVE-2026-1731 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA), the widely deployed remote-access and secure-session platforms used by IT support and privileged-access teams. An unauthenticated, remote attacker who sends specially crafted requests can execute operating system commands in the context of the site user, leading to full compromise of the appliance. BeyondTrust published advisory BT26-02 on February 6, 2026, the same day NVD published the record, and automatically patched SaaS instances on February 2, 2026. CISA added the CVE to its Known Exploited Vulnerabilities catalog on February 13, 2026, and flags it as associated with known ransomware campaigns.

Technical Details

The weakness is classified as CWE-78 (improper neutralization of special elements used in an OS command, or OS command injection). Attacker-controlled input reaching a pre-authentication request handler is incorporated into an operating-system command without adequate sanitization, allowing arbitrary command execution as the site user. No authentication, privileges, or user interaction are required, and the attack is delivered over the network. The NVD primary (NIST) assessment is CVSS 3.1 with a base score of 9.8 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; BeyondTrust, as the CNA, assigned a CVSS 4.0 base score of 9.9. Self-hosted RS and PRA deployments remained exposed until the BT26-02 patch was applied manually.

Impact

• Unauthenticated remote code execution on the RS/PRA appliance as the site user.
• Full compromise of the remote-access platform and any privileged sessions it brokers.
• Theft of stored credentials, session recordings, and configuration data.
• Use of the appliance as a pivot into customer and internal networks, with observed ransomware association.

Mitigation

1. Upgrade BeyondTrust Remote Support (RS) to version 25.3.2 or later, or apply patch BT26-02-RS.
2. Upgrade BeyondTrust Privileged Remote Access (PRA) to version 25.1.1 or later, or apply patch BT26-02-PRA.
3. SaaS instances were patched automatically by BeyondTrust on February 2, 2026 and require no customer action; all self-hosted and appliance deployments must be patched manually.
4. After patching, treat any internet-exposed instance as potentially compromised: perform incident response and rotate all credentials, API keys, and session secrets handled by the appliance.

Detection

Review the RS/PRA web server and application logs for unauthenticated requests to administrative or session-handling endpoints, particularly requests containing shell metacharacters, command separators, or unexpected encoded payloads. Because exploitation results in OS command execution as the site user, hunt on the underlying host for anomalous child processes spawned by the web application, newly written binaries or web shells, scheduled-task or cron persistence, and unexpected outbound network connections from the appliance. GreyNoise reported reconnaissance and exploitation activity targeting BeyondTrust RS shortly after disclosure, and researchers identified several thousand on-premises instances exposed to the internet, so internet-facing deployments should be considered high priority. Correlate any suspicious sessions against the appliance's own session logs and recordings, and look for the creation of new local or remote-support user accounts. Confirm the running build against the fixed versions (RS 25.3.2, PRA 25.1.1) or the presence of the BT26-02 patch, since a patched build is the only reliable indicator that the vector is closed. CISA added CVE-2026-1731 to the Known Exploited Vulnerabilities catalog on February 13, 2026 and notes known ransomware-campaign use, so federal agencies and prudent operators should remediate on the shortened timeline. Given the pre-authentication nature of the flaw and the privileged position these appliances occupy, defenders should not rely solely on log review: any appliance that was internet-reachable while unpatched warrants a full compromise assessment, credential rotation, and review of downstream systems the platform could reach. To operationalize this, enumerate exposure first: identify every RS and PRA instance, determine which were reachable from untrusted networks while unpatched, and prioritize those for investigation, since internet-facing appliances were the primary target set. Baseline the appliance file system and process tree against a known-good build so newly introduced binaries, scripts, or web shells stand out, and forward appliance and host telemetry to a SIEM so the request and process patterns above are alerted on continuously rather than reviewed once. Because BeyondTrust automatically patched SaaS tenants on February 2, 2026, scope active hunting to self-hosted and appliance deployments, but still confirm that managed SaaS configuration was not altered during the exposure window. Preserve logs and session recordings before remediation; treat eradication as incomplete until the appliance is on a fixed build, every secret it handled is rotated, and the systems it could broker access to have been reviewed for follow-on compromise.