CISA Warns: BeyondTrust RCE Flaw Actively Exploited by Ransomware
▼ Summary
– Hackers are actively exploiting the CVE-2026-1731 vulnerability in BeyondTrust’s Remote Support and Privileged Remote Access products for remote code execution.
– CISA added this vulnerability to its Known Exploited Vulnerabilities catalog and gave federal agencies three days to patch or stop using the affected software.
– The vulnerability was a zero-day, with exploitation detected on January 31, before BeyondTrust’s initial disclosure on February 6.
– Cloud-based (SaaS) customers have been patched automatically, while self-hosted instances must manually apply updates or verify automatic patching.
– CISA has flagged the vulnerability with an indicator that it is known to be used in ransomware campaigns.
A critical security flaw in BeyondTrust’s widely used remote support software is now under active attack by ransomware groups, prompting urgent action from federal cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the vulnerability, tracked as CVE-2026-1731, is being exploited in real-world incidents. This flaw allows attackers to execute malicious code on affected systems without needing to authenticate first, posing a severe risk to organizations using the software.
The vulnerability impacts specific versions of BeyondTrust Remote Support and Privileged Remote Access. Systems running Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier are susceptible to remote code execution through a weakness in how the software handles OS commands. Attackers can trigger this by sending specially crafted requests to vulnerable endpoints. CISA moved swiftly, adding the flaw to its Known Exploited Vulnerabilities catalog on February 13 and mandating that all federal civilian agencies patch or discontinue use within a strict three-day deadline.
Evidence shows that exploitation began even before the public disclosure. BeyondTrust initially issued an advisory on February 6, but subsequent investigation revealed that anomalous activity linked to this exploit was detected on a customer’s appliance as early as January 31. This means the vulnerability was a zero-day threat for over a week before the vendor became aware. The availability of public proof-of-concept exploit code shortly after disclosure accelerated its adoption by threat actors, leading to the current wave of attacks.
CISA has now flagged this vulnerability with a specific indicator noting it is “Known To Be Used in Ransomware Campaigns,” elevating the threat level significantly. For organizations using the cloud-based SaaS version of BeyondTrust’s products, the vendor applied the necessary patches automatically on February 2, requiring no customer action. However, the situation is more pressing for those with self-hosted deployments.
Administrators of on-premises instances must take immediate steps to secure their environments. The recommended course of action is to enable automatic updates and then verify through the system’s ‘/appliance’ interface that the patch has been successfully applied. If automatic updates are not enabled, a manual installation is required. For BeyondTrust Remote Support, the fix is included in version 25.3.2. Users of Privileged Remote Access must upgrade to version 25.1.1 or a newer release.
Organizations running older, out-of-support versions face an additional hurdle. Those on Remote Support v21.3 or Privileged Remote Access v22.1 cannot apply the patch directly. The vendor’s guidance is clear: these systems must first be upgraded to a supported version before the security update can be installed. Delaying this remediation leaves networks exposed to attackers who are actively leveraging this flaw to deploy ransomware.
(Source: Bleeping Computer)
