""BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability," the company said in an advisory released February 6, 2026. "By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user." The vulnerability, categorized as an operating system command injection, has been assigned the CVE identifier CVE-2026-1731."
"BeyondTrust said successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption. The issue affects the following versions - Remote Support versions 25.3.1 and prior Privileged Remote Access versions 24.3.4 and prior It has been patched in the following versions - Remote Support - Patch BT26-02-RS, 25.3.2 and later Privileged Remote Access - Patch BT26-02-PRA, 25.1.1 and later"
A critical pre-authentication operating system command injection vulnerability (CVE-2026-1731, CVSS 9.9) affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier. An unauthenticated remote attacker may execute operating system commands in the context of the site user by sending specially crafted requests, enabling unauthorized access, data exfiltration, and service disruption. Patches are available in Remote Support 25.3.2 (Patch BT26-02-RS) and Privileged Remote Access 25.1.1 (Patch BT26-02-PRA) and later. Self-hosted instances must apply patches manually or upgrade if running very old versions. The vulnerability was discovered January 31, 2026 via an artificial intelligence tool.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]