BeyondTrust Patches Critical Pre-Auth RCE Flaw in Remote Access Tools
▼ Summary
– BeyondTrust has patched a critical remote code execution vulnerability (CVE-2026-1731) in its Remote Support and Privileged Remote Access solutions, urging self-hosted customers to update immediately.
– The flaw allows unauthenticated remote attackers to execute operating system commands by sending a specially crafted request to a vulnerable instance, potentially leading to full system compromise.
– It affects Remote Support versions 25.3.1 and prior and Privileged Remote Access versions 24.3.4 and prior, with SaaS customers already patched as of February 2, 2026.
– The vulnerability was discovered and privately reported by security researchers, with no current evidence of exploitation, though reverse-engineering the patch could lead to attacks.
– Researchers note approximately 8,500 internet-facing on-premises deployments are potentially vulnerable if the patch is not applied, and technical details are being withheld to encourage patching.
A critical security flaw in BeyondTrust’s widely used remote access software has been patched, requiring immediate action from organizations using self-hosted deployments. The vulnerability, tracked as CVE-2026-1731, allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. This represents a severe risk, as exploitation requires no user interaction and could lead to complete system compromise, including unauthorized data access and service disruption.
The issue stems from improper neutralization of special elements used in an OS command. An attacker can trigger it by sending a specifically crafted request to a vulnerable instance of either BeyondTrust Remote Support (RS) or Privileged Remote Access (PRA). These tools are fundamental for IT and support teams, providing controlled access for troubleshooting enterprise endpoints. The company confirmed that successful exploitation runs commands in the context of the site user, opening the door for attackers to gain a significant foothold within a network.
This newly disclosed flaw differs from a previous Remote Support zero-day exploited by threat actors last year. CVE-2026-1731 was discovered and privately reported by security researcher Harsh Jaiswal and the Hacktron AI team, not through active in-the-wild attacks. However, the researchers caution that skilled adversaries could reverse-engineer the public patch to create their own exploits, making prompt remediation essential.
The vulnerability impacts Remote Support versions 25.3.1 and earlier, and Privileged Remote Access versions 24.3.4 and earlier. For customers using the software-as-a-service (SaaS) versions of these products, BeyondTrust automatically applied the necessary patch. The urgent call to action is for organizations that host these solutions on their own infrastructure. These self-hosted customers must apply the provided security update or upgrade to a fixed version without delay.
The researchers highlighted the potential scale of the problem, noting there are approximately 8,500 internet-facing, on-premises Remote Support deployments that could be exposed if left unpatched. They have deliberately withheld technical specifics of the flaw to give administrators time to secure their systems but emphasized that exploitation is straightforward once discovered. BeyondTrust further notes that customers on legacy versions, Remote Support older than 21.3 or Privileged Remote Access older than 22.1, will need to complete a full upgrade to a newer, supported version to receive the fix.
While there are no current reports of this vulnerability being actively exploited, its critical nature and the high value of the targeted systems make it a prime candidate for attackers. Organizations relying on these remote access tools for privileged IT functions should treat this patch as a top priority to prevent potential breaches that could result in data theft and significant operational downtime.
(Source: HelpNet Security)
