BeyondTrust Patches Critical Unauthenticated RCE in Remote Support and Privileged Remote Access (CVE-2026-1731)

BeyondTrust has issued patches for a critical pre-authentication remote code execution vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) products — the same software previously exploited as zero-days in the 2024 breach of the U.S. Treasury Department.

Tracked as CVE-2026-1731, the flaw is an OS command injection weakness that allows unauthenticated attackers to execute operating system commands through maliciously crafted client requests. No authentication, privileges, or user interaction are required for exploitation.

"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption," BeyondTrust stated in its advisory.

Affected Versions and Patching

The vulnerability affects Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier.

BeyondTrust secured all cloud RS/PRA instances by February 2. On-premises customers must manually upgrade to Remote Support 25.3.2 or Privileged Remote Access 25.1.1 or later if automatic updates are not enabled.

8,500 On-Premises Instances Potentially Exposed

Security researchers from Hacktron AI, who discovered the vulnerability, warned that approximately 11,000 RS/PRA instances are internet-exposed, including both cloud and on-premises deployments. Roughly 8,500 of those are on-premises systems that remain potentially vulnerable if patches have not been applied.

BeyondTrust confirmed there is no known active exploitation of CVE-2026-1731 at this time.

History of Zero-Day Exploitation

BeyondTrust's remote access products have a documented history of being targeted by advanced threat actors. In late 2024, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after exploiting two RS/PRA zero-days — CVE-2024-12356 and CVE-2024-12686.

That campaign was subsequently linked to Silk Typhoon, a Chinese state-backed espionage group that leveraged the compromised BeyondTrust instance to breach the U.S. Treasury Department, accessing unclassified information related to sanctions actions. The same group also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC).

Given this history, organizations running on-premises RS/PRA deployments should treat this patch with high urgency despite the absence of confirmed exploitation.

Recommendation

Upgrade immediately to Remote Support 25.3.2+ or Privileged Remote Access 25.1.1+. Verify that internet-facing RS/PRA instances are patched and restrict network access to management interfaces where possible. Organizations should also review BeyondTrust's June 2025 advisory for the related Server-Side Template Injection flaw to ensure that fix was also applied.