BeyondTrust CVSS 9.9 Pre-Auth RCE Now Exploited in the Wild as Attackers Target Remote Access Infrastructure

Threat actors have begun actively exploiting a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access appliances, with exploitation detected across global sensor networks overnight.

"Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors," said Ryan Dewhurst, head of threat intelligence at watchTowr. "Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel."

CVE-2026-1731

The vulnerability, CVE-2026-1731 (CVSS 9.9), allows an unauthenticated attacker to execute operating system commands in the context of the site user by sending specially crafted requests. Successful exploitation enables unauthorized access, data exfiltration, and service disruption. Proof-of-concept exploit code is publicly available, dramatically compressing the window between disclosure and weaponisation.

Patched Versions

Remote Support — Patch BT26-02-RS, versions 25.3.2 and later.

Privileged Remote Access — Patch BT26-02-PRA, versions 25.1.1 and later.

CISA Adds Four to KEV Catalog

Separately, CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog citing active exploitation:

CVE-2026-20700 (CVSS 7.8) — Apple memory buffer overflow across iOS, macOS, tvOS, watchOS, and visionOS. Exploited in targeted attacks potentially linked to commercial spyware. Patched earlier this week.

CVE-2025-15556 (CVSS 7.7) — Notepad++ download-without-integrity-check flaw exploited by Chinese APT Lotus Blossom to deliver the Chrysalis backdoor through a five-month supply chain compromise of the update pipeline.

CVE-2025-40536 (CVSS 8.1) — SolarWinds Web Help Desk security control bypass enabling unauthenticated access to restricted functionality. Follows a Microsoft report on multi-stage intrusions leveraging exposed WHD instances for initial access and lateral movement.

CVE-2024-43468 (CVSS 9.8) — Microsoft Configuration Manager SQL injection enabling unauthenticated command execution. Patched in October 2024 but now confirmed exploited in the wild with no attribution details disclosed.

Federal agencies face a February 15 deadline for CVE-2025-40536 and March 5 for the remaining three.

Recommendation

Patch BeyondTrust Remote Support and Privileged Remote Access appliances immediately. These products provide direct access to internal systems and privileged sessions, making them high-value targets. Review logs for exploitation indicators including requests to get_portal_info and unexpected WebSocket connections. Restrict external access to management interfaces. For the KEV additions, prioritise SCCM patching given CVE-2024-43468's CVSS 9.8 severity and widespread enterprise deployment, and audit SolarWinds Web Help Desk instances for signs of compromise given Microsoft's report on active multi-stage intrusions.