CISA: BeyondTrust RCE flaw now exploited in ransomware attacks
Source: Bleeping Computer
CISA warning on BeyondTrust RCE flaw
Hackers are actively exploiting the CVE‑2026‑1731 vulnerability in the BeyondTrust Remote Support product, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns.
The issue affects:
- BeyondTrust Remote Support 25.3.1 or earlier
- Privileged Remote Access 24.3.4 or earlier
It can be exploited for remote code execution via a pre‑authentication OS command injection.
CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product.
Read CISA’s KEV entry (Feb 13)
Vulnerability background
BeyondTrust initially disclosed CVE‑2026‑1731 on February 6. The security advisory classifies it as a pre‑authentication remote code execution flaw caused by an OS command injection weakness, exploitable via specially crafted client requests sent to vulnerable endpoints.
- Security advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- Initial disclosure: https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/
Proof‑of‑concept (PoC) exploits appeared shortly after disclosure, and in‑the‑wild exploitation began almost immediately.
Exploitation timeline
- January 31: Exploitation detected, making the flaw a zero‑day for at least a week.
- February 13: BeyondTrust updated its bulletin to confirm the detection.
- Research confirmation: Harsh Jaiswal and the Hacktron AI team reported anomalous activity on a single Remote Support appliance.
CISA has now activated the “Known To Be Used in Ransomware Campaigns?” indicator in the KEV catalog.
Patch and remediation
- SaaS (cloud‑based) customers: Patch applied automatically on February 2; no manual action required.
- Self‑hosted customers:
- Enable automatic updates and verify patch installation via the
/applianceinterface, or - Manually install the update.
- Enable automatic updates and verify patch installation via the
Version recommendations
| Product | Minimum patched version |
|---|---|
| Remote Support | 25.3.2 |
| Privileged Remote Access | 25.1.1 or newer |
| Older installations (RS v21.3 / PRA v22.1) | Upgrade to a newer major version before applying the patch |
All links and references are retained from the original article.