BeyondTrust fixed a critical remote code execution vulnerability (CVE-2026-1731) in its Remote Support (RS) and Privileged Remote Access (PRA) solutions and is urging self-hosted customers to apply the patch as soon a possible.
Unlike the Remote Support zero-day (CVE-2024-12356) that was flagged after having been exploited by China-nexus threat actors to breach the US Treasury Department in late 2024, this newest vulnerability was discovered and privately disclosed by a security researcher.
About CVE-2026-1731
BeyondTrust Privileged Remote Access is a remote help/remote access tool for IT and support teams to troubleshoot and fix problems on enterprise endpoints.
BeyondTrust Privileged Remote Access (PRA) is a product designed to provide privileged users (IT admins, third-party vendors, etc.) secure, controlled, and audited access to internal systems.
Organizations can deploy both solutions either on-premises or in the cloud, including via software-as-a-service (SaaS) models.
CVE-2026-1731 is caused by improper neutralization of special elements used in an OS command. It can be triggered by unauthenticated remote attackers sending a specially crafted client request to a vulnerable BeyondTrust RS or PRA instance.
“Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user,” BeyondTrust says.
“Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”
What to do?
CVE-2026-1731 affects Remote Support versions 25.3.1 and prior and Privileged Remote Access versions 24.3.4 and prior.
BeyondTrust has applied the patch for its Remote Support SaaS and Privileged Remote Access SaaS customers on February 2, 2026, and is now urging self-hosted customers to either apply the patch and/or upgrade to a fixed version.
“Customers on a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 will need to upgrade to a newer version to apply this patch,” the company added.
While there is no indication that CVE-2026-1731 is being leveraged by attackers, skilled attackers may quickly reverse-engineer the patch, pinpont the vulnerability, and devise an exploit.
The flaw was reported by Harsh Jaiswal and the Hacktron AI team, who pointed out that there are around 8,500 internet-facing on-prem Remote Support deployments out there that may be vulnerable if patches aren’t applied.
“At this time, we are withholding technical details to allow affected parties sufficient time to apply patches. We strongly recommend addressing this vulnerability promptly, as exploitation is straightforward,” they added.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
