BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA

Source: The Hacker News

Summary

BeyondTrust has released updates to address a critical security flaw affecting Remote Support (RS) and Privileged Remote Access (PRA) products that could result in remote code execution.

“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre‑authentication remote code execution vulnerability,” the company said in an advisory released February 6, 2026.
“By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”

The vulnerability is an operating system command injection (CWE‑78) and has been assigned CVE‑2026‑1731. It receives a CVSS score of 9.9.

Affected Products and Versions

• Remote Support – versions 25.3.1 and earlier
• Privileged Remote Access – versions 24.3.4 and earlier

Patches and Mitigation

• Remote Support – Patch BT26‑02‑RS, version 25.3.2 and later
• Privileged Remote Access – Patch BT26‑02‑PRA, version 25.1.1 and later

Self‑hosted customers who are not on automatic update channels should manually apply the appropriate patch. Deployments running Remote Support older than 21.3 or Privileged Remote Access older than 22.1 must upgrade to a newer version before applying the patch.

“Self‑hosted customers of PRA may also upgrade to 25.1.1 or a newer version to remediate this vulnerability,” BeyondTrust added.

Discovery

Security researcher and Hacktron AI co‑founder Harsh Jaiswal discovered the flaw on January 31, 2026, using an AI‑enabled variant analysis. The analysis identified roughly 11,000 internet‑exposed instances, of which ~8,500 are on‑prem deployments that remain vulnerable if patches are not applied.

“About ~8,500 of those are on‑prem deployments, which remain potentially vulnerable if patches aren’t applied,” Jaiswal said.
Source: Hacktron AI blog

Context

Previous security issues in BeyondTrust Privileged Remote Access and Remote Support have been subject to active exploitation. Users are strongly encouraged to update to the latest patched versions promptly.

References

• BeyondTrust Security Advisory: BT26‑02
• CWE‑78: Operating System Command Injection
• Related coverage:
  • CISA adds critical flaw in BeyondTrust (2024)
  • Active exploitation of BeyondTrust flaws (2025)