BeyondTrust warns of critical RCE flaw in remote support software

Source: Bleeping Computer

BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.

Tracked as CVE‑2026‑1731, this pre‑authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team. It affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.

Threat actors with no privileges can exploit it through maliciously crafted client requests in low‑complexity attacks that don’t require user interaction.

“Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user,” BeyondTrust noted. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026 and has advised all on‑premises customers to patch manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven’t enabled automatic updates.

“Approximately 11,000 instances are exposed to the internet including both cloud and on‑prem deployments,” the Hacktron team warned in a Friday report. “About ~8,500 of those are on‑prem deployments which remain potentially vulnerable if patches aren’t applied.”

In June 2025, BeyondTrust fixed a high‑severity RS/PRA Server‑Side Template Injection vulnerability that could also allow unauthenticated attackers to gain remote code execution.

Previous BeyondTrust flaws targeted as zero‑days

While the company has yet to say whether attackers have exploited the recently patched CVE‑2026‑1731 vulnerability in the wild, other BeyondTrust RS/PRA security flaws have been targeted in recent years.

• Two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust’s systems using two RS/PRA zero‑day bugs (CVE‑2024‑12356 and CVE‑2024‑12686) – see the report on Bleeping Computer.

• The U.S. Treasury Department revealed less than one month later that its network had been hacked in an incident later linked to the Silk Typhoon Chinese state‑backed hacking group. Silk Typhoon is believed to have stolen unclassified information about potential sanctions actions and other sensitive documents from the Treasury’s compromised BeyondTrust instance – see coverage on Bleeping Computer and Bloomberg.

• The Chinese cyberspies also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC), both of which rely on BeyondTrust for secure remote access – see the related articles on Bleeping Computer.

• CISA added CVE‑2024‑12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to secure their networks within a week – see the advisory on Bleeping Computer.

BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75 % of Fortune 100 companies worldwide. Remote Support is the company’s enterprise‑grade remote support solution that helps IT support teams troubleshoot issues remotely, while Privileged Remote Access serves as a secure gateway that enforces authorization rules for specific systems and resources.