BeyondTrust Pre-Auth RCE Exposes 11,000 Systems

BeyondTrust patched a critical pre-authentication remote code execution vulnerability in its Remote Support and Privileged Remote Access products. CVE-2026-1731 carries a near-maximum CVSSv4 score of 9.9—an unauthenticated attacker can execute arbitrary commands by sending specially crafted requests. No user interaction required.

The timing is bad. BeyondTrust's privileged access products are security infrastructure. Organizations deploy them specifically to control and monitor sensitive access. A pre-auth RCE in that infrastructure is particularly damaging because it compromises the tools meant to protect everything else.

What's Vulnerable

Rapid7's analysis confirmed the affected products and versions:

• Remote Support: Versions 25.3.1 and earlier. Fixed in 25.3.2
• Privileged Remote Access: Versions 24.3.4 and earlier. Fixed in 25.1.1

The vulnerability stems from improper neutralization of special elements used in OS commands—a command injection flaw in the web interface. Successful exploitation gives attackers command execution in the context of the site user, a privileged account with significant system access.

11,000 Systems Exposed

Internet-wide scanning identified approximately 11,000 BeyondTrust Remote Support and Privileged Remote Access instances directly exposed to the internet. These are prime targets. Any unpatched system is one HTTP request away from full compromise.

BeyondTrust applied patches to SaaS customers automatically on February 2, 2026. Self-hosted customers need to manually apply updates unless they've enabled automatic security updates—a configuration many enterprises disable to maintain change control.

No Active Exploitation—Yet

BeyondTrust says there's no evidence of active exploitation in the wild. That window won't last long. The vulnerability is trivial to exploit once details circulate, and 11,000 exposed targets make attractive hunting ground.

The company that discovered the vulnerability disclosed it responsibly on January 31, 2026. BeyondTrust shipped patches within days. The speed suggests they understood the severity—CVSS 9.9 isn't something you sit on.

Why Remote Access Tools Are High-Value Targets

Remote access products like BeyondTrust's offerings are installed specifically to provide privileged access to systems. Compromising them gives attackers:

• Legitimate access pathways: Traffic through remote access tools looks normal. Security teams expect to see it.
• Broad network reach: These tools typically have access to many systems across the environment.
• Credential exposure: Sessions through privileged access tools often involve sensitive credentials.
• Audit trail manipulation: Attackers who control the audit system can cover their tracks.

We've seen this pattern before. The SmarterMail vulnerability that CISA added to its KEV catalog last week also targeted infrastructure software—ransomware operators exploiting the very tools organizations use to manage their environments.

Mitigation and Detection

Patch immediately: Self-hosted customers should apply updates now. If automatic updates are disabled, manually upgrade to Remote Support 25.3.2+ or Privileged Remote Access 25.1.1+.

Limit network exposure: BeyondTrust products shouldn't be directly exposed to the internet without additional access controls. Put them behind VPNs or zero-trust network access solutions.

Review logs: Check web server logs for unusual requests to the BeyondTrust interface, particularly from unfamiliar IP addresses or with unusual parameters.

Monitor for IOCs: As exploitation details emerge, security vendors will publish indicators. Subscribe to BeyondTrust's security advisories and your threat intelligence feeds.

Timeline Pressure

The gap between patch availability and active exploitation has collapsed in recent years. State-sponsored groups weaponize vulnerabilities within days of disclosure, as we documented with APT28's rapid exploitation of the Microsoft Office zero-day last month.

CVE-2026-1731 affects privileged access infrastructure with 11,000 exposed instances and a straightforward exploitation path. CISA's recent directive on edge device replacement underscores how seriously federal authorities view exposed security infrastructure. If you're running affected BeyondTrust products, patch today. The attackers scanning for this vulnerability aren't waiting.