BeyondTrust has identified and patched a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) in its Remote Support (RS) and Privileged Remote Access (PRA) products. This vulnerability is an operating system command injection flaw that allows unauthenticated remote attackers to execute arbitrary OS commands in the context of the site user by sending specially crafted requests. The affected versions include Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier. Exploitation does not require user interaction or authentication, significantly increasing the risk. The flaw could enable attackers to gain unauthorized access, exfiltrate sensitive data, disrupt services, or move laterally within networks. BeyondTrust has released patches (RS 25.3.2 and later, PRA 25.1.1 and later) and strongly recommends immediate patching, especially for self-hosted deployments that do not receive automatic updates. The vulnerability was discovered on January 31, 2026, using AI-based variant analysis, which also identified approximately 11,000 internet-exposed instances, with about 8,500 on-premises deployments still vulnerable if unpatched. Given the critical nature of privileged access management solutions and their widespread use in enterprise environments, this vulnerability poses a significant threat to organizations globally. Details of the exploit have been withheld to allow time for patch deployment. Historical exploitation of BeyondTrust products underscores the urgency of remediation.

For European organizations, this vulnerability presents a severe risk due to the critical role BeyondTrust RS and PRA products play in managing privileged access and remote support. Successful exploitation could lead to unauthorized system control, data breaches involving sensitive or regulated information, and operational disruptions. This is particularly concerning for sectors such as finance, healthcare, government, and critical infrastructure, where privileged access tools are heavily utilized and data protection regulations like GDPR impose strict requirements. The ability to execute code remotely without authentication increases the likelihood of targeted attacks and potential lateral movement within networks. Unpatched on-premises deployments are especially vulnerable, as they may lack automated update mechanisms. The exposure of approximately 11,000 instances worldwide, including many in Europe, amplifies the risk of widespread exploitation. Additionally, the potential for data exfiltration and service disruption could result in significant financial losses, reputational damage, and regulatory penalties for affected organizations.

European organizations should immediately identify all instances of BeyondTrust Remote Support and Privileged Remote Access in their environments, prioritizing on-premises deployments. Apply the official patches released by BeyondTrust: Remote Support version 25.3.2 or later and Privileged Remote Access version 25.1.1 or later. For versions older than RS 21.3 or PRA 22.1, upgrade to a supported version before patching. Disable or restrict external internet exposure of these services where possible, implementing network segmentation and firewall rules to limit access to trusted IPs only. Employ strict monitoring and logging of privileged access activities to detect anomalous behavior indicative of exploitation attempts. Conduct vulnerability scanning and penetration testing focused on these products to verify patch effectiveness. Establish or enhance automated update mechanisms for self-hosted environments to reduce patching delays. Finally, review and tighten privileged access policies and credentials management to minimize the attack surface.