Critical RCE Flaw Found in BeyondTrust Remote Support Software

A critical security vulnerability has been identified in BeyondTrust’s widely used Remote Support and Privileged Remote Access software, posing a severe risk of remote code execution by unauthenticated attackers. This flaw, designated CVE-2026-1731, is a pre-authentication command injection weakness that impacts Remote Support versions 25.3.1 or earlier and Privileged Remote Access versions 24.3.4 or earlier. Security researchers Harsh Jaiswal and the Hacktron AI team discovered the issue, which allows threat actors with no prior access to execute arbitrary operating system commands by sending specially crafted client requests.

Exploitation of this vulnerability is considered low complexity and requires no user interaction, making it a significant threat. According to BeyondTrust, a successful attack could lead to full system compromise, enabling unauthorized access, data theft, and major service disruption. The company has already secured all of its cloud-hosted systems. For on-premises deployments, administrators must manually update to Remote Support 25.3.2 or later, or Privileged Remote Access 25.1.1 or later, if automatic updates are not enabled. The Hacktron team estimates that roughly 11,000 instances are currently exposed on the internet, with about 8,500 of those being on-premises systems that remain vulnerable until patched.

While BeyondTrust has stated there is no evidence of active exploitation for CVE-2026-1731 at this time, the company’s software has been a high-value target in the past. This incident follows the patching of another high-severity server-side template injection flaw in June 2025. Historical context underscores the seriousness of such vulnerabilities. Two years prior, attackers leveraged two earlier zero-day flaws in the same software suite, CVE-2024-12356 and CVE-2024-12686, to breach BeyondTrust’s own systems. Using a stolen API key from that breach, they subsequently compromised 17 Remote Support SaaS instances.

!A server rack with a red warning symbol overlay, representing a critical security vulnerability.

The repercussions of those previous exploits were substantial and reached the highest levels of the U.S. government. In an incident later attributed to the Chinese state-backed hacking group known as Silk Typhoon, the U.S. Treasury Department’s network was compromised. The attackers are believed to have accessed sensitive, unclassified documents related to potential sanctions actions from a compromised BeyondTrust instance. The same threat actors also targeted other critical agencies, including the Committee on Foreign Investment in the United States and the Office of Foreign Assets Control. Due to the active exploitation, the Cybersecurity and Infrastructure Security Agency mandated that all federal agencies patch one of those vulnerabilities within a single week.

BeyondTrust is a major player in the identity security market, serving over 20,000 customers globally, including a large majority of Fortune 100 companies. Its Remote Support product is an enterprise solution for IT teams to provide technical assistance, while Privileged Remote Access functions as a secure gateway for controlling authorization to critical systems. This latest critical flaw highlights the ongoing security challenges faced by software that manages privileged access and remote connectivity, underscoring the imperative for organizations to apply patches promptly to protect their infrastructure from determined adversaries.

(Source: Bleeping Computer)