Attackers are exploiting a recently patched critical vulnerability (CVE-2026-1731) in internet-facing BeyondTrust Remote Support and Privileged Remote Access instances.
“Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel,” Ryan Dewhurst, Head of Threat Intelligence at watchTowr, confirmed on Thursday.
Rapid7 researchers published a technical analysis and proof-of-concept (PoC) exploit for CVE-2026-1731 on Tuesday, Feb. 10.
Defused Cyber and GreyNoise have also detected widespread reconnaissance and limited exploitation activity.
“So far we have observed exploits leveraging the Nuclei script, but no other variations of the exploit,” Defused Cyber said.
Reconnaissance activity
CVE-2026-1731 is an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on a BeyondTrust Remote Support or Privileged Remote Access instance.
The vulnerability is in the same endpoint (get_portal_info) as CVE-2024-12356, which was exploited as a zero-day by Chinese state-sponsored attackers in 2024 to breach the US Treasury Department.
GreyNoise researchers say it is effectively a variant of CVE-2024-12356: “Same WebSocket endpoint, different code path.”
The threat intelligence company, which specializes in analyzing activity targeting internet-facing systems, says that internet-wide scanning and reconnaissance activity surged on Wednesday, Feb. 11, and that it mostly originates from a single IP associated with a known scanning operation.
“Standard BeyondTrust deployments run on HTTPS (port 443), but few sessions target that port. The rest systematically probed clusters of non-standard ports, suggesting the attackers know that enterprises often move BeyondTrust to non-default ports for security-through-obscurity,” the company also noted.
What to do?
BeyondTrust applied a patch for CVE-2026-1731 to all Remote Support SaaS and Privileged Remote Access SaaS customers on February 2, and urged customers with on-prem instances to patch quickly.
Organizations that have failed to do it should assume compromise and investigate.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
