BT26-02

• CVSSv4 score: 9.9

• CVSSv4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L

• Issue Date: 2026-02-06

• Updated On: 2026-02-13

• CVE: CVE-2026-1731

• CWE: CWE-78

• Synopsis: Remote code execution in Remote Support (RS) and Privileged Remote Access (PRA)

• Affected Product: Remote Support (RS) and Privileged Remote Access (PRA)

BeyondTrust Remote Support and older versions of Privileged Remote Access contain a critical pre-authentication remote code execution vulnerability that may be triggered through specially crafted client requests. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.

• January 31, 2026 - BeyondTrust Security Team detects anomalous activity on a single Remote Support appliance. An external security researcher subsequently confirmed and validated this activity and reported the vulnerability in Remote Support and Privileged Remote Access to BeyondTrust. Triage and root cause analysis completed. Patch development begins.
• February 2, 2026 - Patches (BT26-02-RS and BT26-02-PRA) issued and automatically deployed to all instances with BeyondTrust’s update service enabled. BeyondTrust SaaS instances fully patched.
• February 3, 2026 - Knowledge article published on the customer portal advising customers to patch.
• February 4, 2026 - Email notification sent to all active self-hosted customers who had not already patched.
• February 6, 2026 - BeyondTrust Security Advisory (BT26-02) and CVE (CVE-2026-1731) published. Subsequent email notification sent to all active self-hosted customers who had not already patched.
• February 10, 2026 - Initial exploitation attempt observed.
• February 10, 2026 - Subsequent email notification sent to all active self-hosted customers who had not already patched.
• Present - Continue to support customers in their patching, investigation, and response.

BeyondTrust is aware of and supporting a limited number of self-hosted customers in responding to active exploitation attempts of the previously disclosed critical vulnerability (CVE-2026-1731) in its Remote Support and Privileged Remote Access solutions. The vulnerability has been patched, and BeyondTrust has automatically applied the update to all applicable instances with the BeyondTrust update service enabled. Active self-hosted customers were directly notified with instructions to download and apply the update.

Observed exploitation activity has been limited to internet-facing, self-hosted environments where the patch had not been applied before February 9, 2026.

Important: We are strongly encouraging all self-hosted customers who had internet-exposed instances that remained unpatched as of February 9 to take immediate action to apply the recommended updates and open a “Severity 1” ticket to BeyondTrust support, citing “BT26-02” in the description.

BeyondTrust’s investigation and support for customers remains ongoing. We are prioritizing rapid validation of new information and will continue to provide transparent updates as findings are confirmed. Protecting the security of our customers and their solutions remains our highest priority.

A patch has been applied to all Remote Support SaaS and Privileged Remote Access SaaS customers as of Feb 2, 2026 that remediates this vulnerability.

Self-hosted customers of Remote Support and Privileged Remote Access should manually apply the patch if their instance is not subscribed to automatic updates in their /appliance interface. Customers on a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 will need to upgrade to a newer version to apply this patch.

Self-hosted customers of Privileged Remote Access may also upgrade to 25.1.1 or a newer version to remediate this vulnerability.

Self-hosted customers of Remote Support may also upgrade to 25.3.2 to remediate this vulnerability.

We would like to thank Harsh Jaiswal and the Hacktron AI team for responsibly disclosing this vulnerability to BeyondTrust. Hacktron AI identified this vulnerability through their novel approach to AI-enabled variant analysis. Their thorough research and cooperative engagement enabled us to investigate, remediate, and communicate this issue in a timely manner to help protect our customers.

https://www.cve.org/CVERecord?id=CVE-2026-1731

https://nvd.nist.gov/vuln/detail/CVE-2026-1731

https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293