Alerts

BeyondTrust Patches Critical Unauthenticated RCE in Remote Support and Privileged Remote Access (CVE-2026-1731)

BeyondTrust has issued patches for a critical pre-authentication remote code execution vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) products — the same software previously exploited as zero-days in the 2024 breach of the U.S. Treasury Department.

Tracked as CVE-2026-1731, the flaw is an OS command injection weakness that allows unauthenticated attackers to execute operating system commands through maliciously crafted client requests. No authentication, privileges, or user interaction are required for exploitation.

"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption," BeyondTrust stated in its advisory.

Affected Versions and Patching

The vulnerability affects Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier.

BeyondTrust secured all cloud RS/PRA instances by February 2. On-premises customers must manually upgrade to Remote Support 25.3.2 or Privileged Remote Access 25.1.1 or later if automatic updates are not enabled.

8,500 On-Premises Instances Potentially Exposed

Security researchers from Hacktron AI, who discovered the vulnerability, warned that approximately 11,000 RS/PRA instances are internet-exposed, including both cloud and on-premises deployments. Roughly 8,500 of those are on-premises systems that remain potentially vulnerable if patches have not been applied.

BeyondTrust confirmed there is no known active exploitation of CVE-2026-1731 at this time.

History of Zero-Day Exploitation

BeyondTrust's remote access products have a documented history of being targeted by advanced threat actors. In late 2024, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after exploiting two RS/PRA zero-days — CVE-2024-12356 and CVE-2024-12686.

That campaign was subsequently linked to Silk Typhoon, a Chinese state-backed espionage group that leveraged the compromised BeyondTrust instance to breach the U.S. Treasury Department, accessing unclassified information related to sanctions actions. The same group also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC).

Given this history, organizations running on-premises RS/PRA deployments should treat this patch with high urgency despite the absence of confirmed exploitation.

Recommendation

Upgrade immediately to Remote Support 25.3.2+ or Privileged Remote Access 25.1.1+. Verify that internet-facing RS/PRA instances are patched and restrict network access to management interfaces where possible. Organizations should also review BeyondTrust's June 2025 advisory for the related Server-Side Template Injection flaw to ensure that fix was also applied.

GitHub Confirms TeamPCP Breach of 3,800 Internal Repositories After Employee Installed Poisoned VS Code Extension

GitHub has confirmed that approximately 3,800 internal repositories were compromised after a TeamPCP supply chain attack that began with a single employee installing a poisoned Visual Studio Code extension. The breach was announced on Tuesday after TeamPCP posted claims on an underground forum offering GitHub's stolen source

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

Grafana Confirms GitHub Breach After Coinbase Cartel Demands Ransom — Codebase Stolen via Compromised Token

Grafana Labs has confirmed a data breach after attackers used a compromised token to access the company's GitHub environment and download its entire codebase. The open source visualization and analytics platform disclosed the incident on Sunday, two days after cybercrime group Coinbase Cartel listed Grafana on its leak

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version