TL;DR

  • CVE-2026-1731 is a CVSS 9.9-rated remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access — no password needed to exploit it [1].
  • Active exploitation began within 24 hours of the public proof-of-concept release on February 10, 2026; CISA added it to the Known Exploited Vulnerabilities catalog on February 13 [2].
  • If your business uses BeyondTrust for IT support or privileged access, you need to check your version and patch today — SaaS customers are already protected, on-premise customers are not [1][3].
  • This is not just a government problem. BeyondTrust serves over 20,000 customers across 100+ countries, including 75% of the Fortune 100 [2].
  • The patch is free. The fix takes minutes. The alternative — an attacker with full OS-level access to your infrastructure — is not a good time [3].

What Is CVE-2026-1731, and Why Should Your Business Care?

A critical security flaw was publicly disclosed on February 6, 2026, affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) — two tools widely used by IT teams and managed service providers to remotely connect to and manage computer systems [1]. The vulnerability is tracked as CVE-2026-1731 and carries a CVSS (Common Vulnerability Scoring System) score of 9.9 out of 10 — one of the highest severity ratings possible [3].​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​‌‌‌‍​​‌‌​​‌‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​

‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌

What makes this flaw particularly serious is what an attacker does not need. According to BeyondTrust's own security advisory, successful exploitation "requires no authentication or user interaction" [1]. An attacker with internet access and the right payload can send a single crafted WebSocket message to your BeyondTrust appliance and gain the ability to execute arbitrary operating system commands — effectively taking over the machine [3]. From there, they have access to every system that appliance manages, including credential vaults and session recordings [3].

BeyondTrust products are, by design, internet-facing. They hold the keys to the most sensitive parts of your infrastructure. That is exactly what makes this vulnerability worth treating as a five-alarm situation.​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​‌‌‌‍​​‌‌​​‌‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌

How Does This Vulnerability Actually Work?

Security researchers at Hacktron AI, who discovered and responsibly disclosed the flaw to BeyondTrust on January 31, 2026, identified approximately 11,000 BeyondTrust Remote Support instances exposed on the public internet — roughly 8,500 of which are on-premises deployments [2].

The technical root cause is an OS command injection weakness (CWE-78) in a shell script called thin-scc-wrapper, which is reachable through the /nw WebSocket endpoint without authentication [3]. The script takes a remoteVersion parameter from incoming messages and passes it to a Bash arithmetic evaluation without sanitisation. In Bash, arithmetic contexts can execute nested command substitutions, meaning a carefully crafted version string causes the shell to execute attacker-controlled commands instead [3].

This is the same WebSocket endpoint that was exploited as a zero-day in December 2024 (CVE-2024-12356) in a high-profile nation-state attack linked to the Chinese threat group Silk Typhoon, which used a stolen API key to compromise 17 BeyondTrust SaaS instances — including the U.S. Treasury Department's systems [2]. CVE-2026-1731 exploits a different code path in the same endpoint, meaning organisations that applied earlier patches are still exposed if they haven't applied the latest fix [3].

Active exploitation was confirmed by multiple independent security firms — including GreyNoise, watchTowr, Arctic Wolf, and Darktrace — within 24 hours of a public proof-of-concept appearing on GitHub on February 10, 2026 [3]. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and ordered Federal Civilian Executive Branch agencies to patch within three days [2].

Am I Affected? How to Check Right Now

The vulnerability affects:

  • BeyondTrust Remote Support (RS): versions 25.3.1 and earlier [1][3]
  • BeyondTrust Privileged Remote Access (PRA): versions 24.3.4 and earlier [1][3]

Cloud/SaaS customers: BeyondTrust automatically applied the patch to all cloud-hosted RS and PRA instances on February 2, 2026. No action required for SaaS users [1].

On-premises customers: You must manually install the patch. Check your version in the BeyondTrust admin console. If you are running RS 25.3.1 or earlier, or PRA 24.3.4 or earlier, apply the BT26-02 patch immediately [1][3].

According to Arctic Wolf, customers running self-hosted RS versions older than 21.3 or PRA versions older than 22.1 must first upgrade to a newer version before applying the patch [4]. If you are that far behind, this is your sign to prioritise that upgrade.

The fix is available in:

  • Remote Support 25.3.2 and later
  • Privileged Remote Access 25.1.1 and later [3]

What Happens If You Don't Patch?

Once exploited, CVE-2026-1731 gives an attacker operating system-level access to the BeyondTrust appliance and, by extension, everything it manages. BeyondTrust's advisory notes that "successful exploitation may lead to system compromise, including unauthorized access, data exfiltration, and service disruption" [1].

In practical terms for a business, this means:

  • Full network access: Your IT support tool becomes the attacker's tunnel into every endpoint it manages.
  • Credential theft: BeyondTrust PRA stores and brokers privileged credentials. A compromised appliance exposes every account in the vault.
  • Ransomware deployment: Attackers with OS-level access can install ransomware across all managed systems with minimal additional effort.
  • Compliance violations: A breach via an unpatched, known-exploited vulnerability creates significant exposure under the Australian Privacy Act, GDPR, and similar frameworks.

watchTowr's head of threat intelligence stated that unpatched devices "should be assumed to be compromised" [2]. That is the industry standard posture when active exploitation of a critical flaw is confirmed.

According to the 2026 Unit 42 Global Incident Response Report, which analysed over 750 major cyber incidents, attackers now move from initial access to data exfiltration in as little as 72 minutes — four times faster than the previous year [5]. In this environment, a known-exploitable, internet-facing tool is not a risk you can defer.

Your 5-Step Response Plan

Knowing about a vulnerability is only half the job. Here is what your business should actually do, in order:

Step 1: Identify Whether You Use BeyondTrust

Check with your IT team or managed service provider (MSP). BeyondTrust products are commonly used by IT support desks and MSPs for remote access and privileged session management.

Step 2: Determine Your Deployment Type

Log into your BeyondTrust admin console. Check whether you are on the SaaS/cloud version (already patched) or an on-premises deployment (requires manual action).

Step 3: Check Your Version

On-premises RS: navigate to /loginAbout page. On-premises PRA: same path. Compare your version against the affected ranges [1][3].

Step 4: Apply the Patch

Download BT26-02 from the BeyondTrust Trust Center at beyondtrust.com/trust-center/security-advisories/bt26-02. Follow vendor installation instructions. Note: if your version is very old (RS < 21.3 or PRA < 22.1), you need to upgrade to an intermediate version first [4].

Step 5: Verify and Monitor

After patching, verify the version number in the admin console. Enable enhanced logging and review recent access logs for signs of exploitation — watchTowr recommends treating any unpatched device as already compromised [2]. Contact a cybersecurity professional if you see anomalies.

Why Remote Access Tools Are High-Value Targets

This is not an isolated incident. BeyondTrust, TeamViewer, Citrix, and other remote access platforms are frequently targeted by sophisticated threat actors precisely because they are trusted, internet-facing, and hold keys to critical infrastructure [5].

According to the 2026 Unit 42 Global Incident Response Report, identity weaknesses played a material role in nearly 90% of cyber investigations, and in 23% of incidents, attackers leveraged third-party SaaS applications to bypass traditional security perimeters [5]. Remote access tools sit squarely at this intersection of identity and third-party risk.

The Cybersecurity Insiders 2026 Outlook notes that 58% of financial firms report lacking continuous visibility into third-party exposures — and remote access platforms used by MSPs and IT teams are third-party exposure points for every business they serve [6].

Securing your remote access tools is not a checkbox exercise. It is ongoing operational discipline.

Related: Supply Chain Security — How to Assess Your Vendors' Cybersecurity Posture

FAQ

CVE-2026-1731 is a critical remote code execution vulnerability (CVSS 9.9) in BeyondTrust Remote Support and Privileged Remote Access software. It allows an unauthenticated attacker to execute arbitrary operating system commands by sending a crafted WebSocket message to an internet-exposed BeyondTrust appliance — no password required. It was publicly disclosed on February 6, 2026, and active exploitation was confirmed by February 10, 2026 [1][3].

Possibly. If your managed service provider (MSP) uses BeyondTrust Remote Support or Privileged Remote Access to manage your systems, and they run an on-premises (self-hosted) deployment on an unpatched version, your systems may be at risk through your provider's appliance. Ask your MSP directly whether they use BeyondTrust and whether they have applied the BT26-02 patch [1][3].

Yes. BeyondTrust automatically patched all cloud/SaaS-hosted instances of Remote Support and Privileged Remote Access on February 2, 2026. Cloud customers do not need to take any action. Only on-premises (self-hosted) customers need to manually apply the patch [1].

Very quickly. In the case of CVE-2026-1731, a public proof-of-concept appeared on GitHub on February 10, 2026, and active exploitation was confirmed by multiple independent security firms within 24 hours [3]. The 2026 Unit 42 Incident Response Report found that in the fastest cases investigated, attackers moved from initial access to data exfiltration in just 72 minutes [5]. The window to patch before exploitation is extremely short for high-severity, publicly disclosed vulnerabilities.

Immediately isolate the appliance from your network (disconnect from the internet). Preserve logs for forensic investigation. Contact your cybersecurity team or a specialist incident responder. Do not simply patch and continue — if exploitation occurred before the patch, the attacker may have already established persistence. Engage professional incident response support to investigate and remediate fully.

References

[1] BeyondTrust, "BT26-02 Security Advisory," BeyondTrust Trust Center, Feb. 6, 2026. [Online]. Available: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02

[2] L. Abrams, "CISA gives feds 3 days to patch actively exploited BeyondTrust flaw," BleepingComputer, Feb. 17, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-beyondtrust-flaw-within-three-days/

[3] Orca Security, "Critical CVE-2026-1731 Vulnerability in BeyondTrust Remote Support and PRA Exposes Systems to Remote Code Execution," Orca Security Blog, Feb. 18, 2026. [Online]. Available: https://orca.security/resources/blog/cve-2026-1731-beyondtrust-vulnerability/

[4] Arctic Wolf, "CVE-2026-1731 | BeyondTrust Remote Support and PRA Critical RCE," Arctic Wolf Resources, Feb. 2026. [Online]. Available: https://arcticwolf.com/resources/blog/cve-2026-1731/

[5] Palo Alto Networks Unit 42, "2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster," Palo Alto Networks Blog, Feb. 17, 2026. [Online]. Available: https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/

[6] Cybersecurity Insiders, "2026 Cybersecurity Outlook: A Maturity Reckoning," Cybersecurity Insiders, Feb. 19, 2026. [Online]. Available: https://www.cybersecurity-insiders.com/2026-cybersecurity-outlook-a-maturity-reckoning/

[7] Help Net Security, "BeyondTrust fixes easy-to-exploit pre-auth RCE vulnerability in remote access tools (CVE-2026-1731)," Help Net Security, Feb. 9, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/02/09/beyondtrust-remote-access-vulnerability-cve-2026-1731/

[8] CISA, "CISA Adds One Known Exploited Vulnerability to Catalog," CISA Alerts, Feb. 13, 2026. [Online]. Available: https://www.cisa.gov/news-events/alerts/2026/02/13/cisa-adds-one-known-exploited-vulnerability-catalog

[9] Xcitium Threat Labs, "CISA Issues Urgent Patch Mandate for Critical BeyondTrust RCE Flaw," Threat Labs News, Feb. 19, 2026. [Online]. Available: https://threatlabsnews.xcitium.com/blog/cisa-issues-urgent-patch-mandate-for-critical-beyondtrust-rce-flaw/

Running remote access tools for your business — or relying on an MSP who does? lil.business provides vulnerability assessments, patch management reviews, and incident response planning for Australian SMBs. Book a free consultation and make sure your remote access stack isn't your biggest liability.

ELI10: There's a Master Key That Unlocks Business Computers

Explained Like You're 10 — by lilMONSTER at lil.business

Imagine your IT person has a special master key that lets them unlock any computer in your office from anywhere in the world. That key is how they fix problems, install software, and keep everything running — even when they're working from home.

Now imagine someone figured out that your master key has a secret flaw. With just a little trick, anyone on the internet can copy your master key — without ever meeting your IT person, without knowing any passwords, without knocking on your door.

That is exactly what CVE-2026-1731 is.

The Flaw, in Plain Language

A popular IT tool called BeyondTrust Remote Support — used by IT teams and IT providers to manage computers remotely — had a bug discovered this month. Security researchers found that if you sent it a cleverly written message, it would run any command you told it to run. No login. No password. No permission needed.

Think of it like a vending machine that's supposed to only accept coins — but someone discovered that if you shake it just right, it gives you everything inside for free. Except instead of snacks, it's handing over your entire computer network.

The flaw got a score of 9.9 out of 10 for severity. That's basically as serious as it gets.

Who Found Out First?

A security research team called Hacktron AI found the flaw and told BeyondTrust about it on January 31, 2026. BeyondTrust quietly released a fix on February 6. But by February 10, someone had figured out the same trick and posted instructions online for everyone to see.

Within 24 hours, attackers were using those instructions to break into unpatched systems. A U.S. government agency called CISA — America's top cybersecurity watchdog — ordered all government offices to fix it within three days.

Does This Affect Your Business?

If your IT team or IT provider uses BeyondTrust Remote Support to manage your computers, you need to ask one question: "Have you applied the BT26-02 patch?"

  • If you use the cloud version: you're already fixed. Nothing to do.
  • If you use the installed-on-a-server version: you need to patch it manually, right now.

Not sure which one you have? Ask your IT person or provider. If they don't know, that's also important information.

What You Can Do Today

  1. Ask your IT team or MSP: "Do we use BeyondTrust? Is it patched against CVE-2026-1731?"
  2. Get a straight answer: They should know immediately. If they're unsure, push for a same-day answer.
  3. Check your logs: If you've been running an unpatched version and someone connected to it in the last week, flag it for investigation.

The Bigger Picture

This isn't the first time BeyondTrust has been in the news. Two years ago, a Chinese hacking group used a different flaw in the same product to break into the U.S. Treasury. This tool is a high-value target precisely because it's designed to have access to everything.

That's not a reason to panic. It's a reason to patch.

lil.business helps Australian small businesses check, patch, and secure their remote access tools — without the confusing jargon. Book a free 30-minute consultation and make sure your IT setup isn't a door left wide open.

TL;DR

  • Explained Like You're 10 — by lilMONSTER at lil.business Imagine your IT person has a special master key that lets t
  • Now imagine someone figured out that your master key has a secret flaw. With just a little trick, *anyone on the interne
  • Action required — see the post for details

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation