BeyondTrust Urges Immediate Patching of Critical Security Flaw

Recently, BeyondTrust issued a crucial warning to its customers regarding a significant security vulnerability present in its Remote Support (RS) and Privileged Remote Access (PRA) software. This flaw could potentially enable unauthorized attackers to execute arbitrary code remotely, posing a severe threat to system security.

Identified as CVE-2026-1731, this pre-authentication remote code execution vulnerability was discovered by Harsh Jaiswal and the Hacktron AI team. It specifically impacts versions of BeyondTrust Remote Support prior to 25.3.1 and Privileged Remote Access prior to 24.3.4.

Exploitation of this vulnerability does not require any authentication or user interaction, making it especially dangerous. Attackers can leverage maliciously crafted client requests to execute operating system commands, potentially leading to unauthorized access, data theft, or service disruption.

BeyondTrust took immediate action to secure all RS/PRA cloud systems by February 2, 2026. On-premises customers are strongly advised to manually patch their systems by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later versions, unless automatic updates have been enabled.

The Hacktron team highlighted that approximately 11,000 instances, including cloud and on-prem deployments, are at risk. Failure to apply the necessary patches could leave around 8,500 on-premises deployments vulnerable to exploitation.

Notably, in June 2025, BeyondTrust addressed a high-severity RS/PRA Server-Side Template Injection vulnerability that could also be exploited by unauthenticated attackers for remote code execution.

Previous Zero-Day Exploits Targeting BeyondTrust

While the exploitation status of CVE-2026-1731 remains undisclosed, previous vulnerabilities in BeyondTrust RS/PRA software have been actively targeted. Two years ago, attackers compromised 17 Remote Support SaaS instances using stolen API keys after exploiting two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686).

In a subsequent incident, the U.S. Treasury Department reported a network breach linked to the Silk Typhoon Chinese state-backed hacking group. This breach exposed sensitive information stored within the compromised BeyondTrust instance, including potential sanctions data.

CISA intervened by adding CVE-2024-12356 to its Known Exploited Vulnerabilities list, urging U.S. government agencies to fortify their networks promptly.

BeyondTrust, a global provider of identity security solutions, caters to over 20,000 customers worldwide, including major Fortune 100 companies. Their Remote Support and Privileged Remote Access offerings play a vital role in facilitating IT support and ensuring secure access to critical systems and resources.

Stay ahead of manual delays with automated workflows. Learn how to enhance reliability and streamline operations with Tines.

Explore Automation