Executive Summary

BeyondTrust has released emergency patches for a critical zero-day vulnerability, CVE-2026-1731, found in its self-hosted (on-premise) Remote Support (RS) and Privileged Remote Access (PRA) products. The vulnerability is a pre-authentication remote code execution (RCE) flaw, earning it a near-perfect CVSSv4 score of 9.9. An unauthenticated attacker can exploit this weakness by sending a crafted request to a vulnerable appliance, allowing them to execute arbitrary OS commands with site user privileges. This could lead to a complete compromise of the appliance, data theft, or deployment of further malware. BeyondTrust has already patched its cloud-based customers, but all on-premise customers are urged to apply the updates immediately to mitigate the severe risk.

Vulnerability Details

• CVE ID: CVE-2026-1731
• Affected Products:
  • BeyondTrust Remote Support (RS) versions 25.3.1 and earlier (self-hosted).
  • BeyondTrust Privileged Remote Access (PRA) versions 24.3.4 and earlier (self-hosted).
• Vulnerability Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
• CVSS Score: 9.9 (Critical).
• Impact: Remote Code Execution (RCE).
• Authentication: Not required (Pre-authentication).
• User Interaction: Not required.

An attacker can exploit this vulnerability by sending a single, specially crafted network request to the public-facing interface of a vulnerable BeyondTrust appliance. Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system of the appliance. This provides a direct foothold into a highly privileged and trusted component of an organization's IT infrastructure.

Exploitation Status

The vulnerability was discovered by researcher Harsh Jaiswal and the Hacktron AI team and responsibly disclosed to BeyondTrust. At the time of disclosure, there was no evidence of active exploitation in the wild. However, now that the vulnerability and patches are public, the risk of reverse-engineering and weaponization by threat actors is extremely high. Organizations must act on the assumption that an exploit will become publicly available soon.

Impact Assessment

BeyondTrust's products are used to manage privileged access to critical systems. A compromise of the PRA or RS appliance itself is a worst-case scenario:

• Complete System Compromise: An attacker could gain full control over the BeyondTrust appliance, effectively owning the "keys to the kingdom."
• Privilege Escalation: From the compromised appliance, an attacker could potentially intercept, hijack, or initiate privileged sessions to any server or endpoint managed by the tool.
• Data Theft: The attacker could steal credentials, session recordings, and other sensitive data stored on or passing through the appliance.
• Lateral Movement: The compromised appliance serves as a perfect launchpad for moving laterally across the entire enterprise network, as it is a trusted system with connections to many other critical assets.
• Malware Deployment: The appliance could be used to deploy ransomware or other malware to all connected endpoints.

Detection Methods

• Version Checking: The most straightforward detection method is to check the version of your on-premise BeyondTrust appliances. If you are running an affected version, you are vulnerable.
• Log Analysis: BeyondTrust advises customers to review appliance logs for indicators of compromise. Security teams should hunt for any log entries showing unusual or unexpected commands being executed by the site user account.
• Network Monitoring: Analyze web access logs for the appliance, looking for unusual inbound requests or requests that do not conform to the normal API or user traffic patterns. Any malformed or strange-looking requests should be investigated.

Remediation Steps

• Patch Immediately: This is an urgent and critical requirement. All customers with self-hosted instances must upgrade to the patched versions as soon as possible:
  • Remote Support (RS): Upgrade to version 25.3.2 (Patch BT26-02-RS) or later.
  • Privileged Remote Access (PRA): Upgrade to version 25.1.1 (Patch BT26-02-PRA) or later.
• Cloud Customers: No action is required for customers using BeyondTrust's cloud or SaaS offerings, as these instances have already been patched by the vendor.
• Restrict Access: As a temporary compensating control if patching is delayed, restrict network access to the appliance's management interface. Ensure it is not exposed to the public internet and is only accessible from a limited set of trusted internal IP addresses. This reduces the attack surface but does not eliminate the vulnerability.