CVE-2026-1731 is a critical remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, rated CVSS 9.9. The vulnerability allows unauthenticated attackers to execute arbitrary operating system commands by sending specially crafted requests to the affected systems. Attackers exploit the flaw by abusing the get_portal_info API to extract the x-ns-company value, which facilitates establishing a WebSocket channel for further exploitation. This enables attackers to gain unauthorized access, exfiltrate sensitive data, and disrupt services. The vulnerability was rapidly weaponized, with reconnaissance and exploitation attempts detected globally within 24 hours of the public proof-of-concept release. Notably, a significant portion of reconnaissance traffic originates from an IP associated with a commercial VPN provider in Frankfurt, Germany, indicating active scanning operations targeting European infrastructure. Arctic Wolf’s threat intelligence reveals that attackers use tools like AdsiSearcher to enumerate Active Directory computer inventories and deploy SimpleHelp remote management software via PSexec for persistence and lateral movement. The vulnerability affects multiple versions of BeyondTrust RS and PRA, with patches released for RS versions 21.3 to 25.3.1 and PRA versions 22.1 to 24.x; PRA versions 25.1 and above are not vulnerable. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog, mandating rapid patching by federal agencies. The swift exploitation highlights the shrinking window defenders have to secure critical remote access infrastructure. BeyondTrust products are widely used in enterprise environments for privileged access management, making this vulnerability a high-value target for threat actors aiming for espionage, ransomware deployment, or network compromise.

European organizations using BeyondTrust Remote Support and Privileged Remote Access products face severe risks from this vulnerability. Successful exploitation can lead to full system compromise without authentication, enabling attackers to execute arbitrary commands, move laterally within networks, and maintain persistence. This threatens confidentiality through data exfiltration, integrity by unauthorized command execution, and availability via potential service disruption. Given the critical role of BeyondTrust products in managing privileged access, exploitation could compromise sensitive administrative credentials and critical infrastructure controls. The presence of reconnaissance activity from European IPs and the use of commercial VPNs hosted in Frankfurt suggest active targeting of European networks. Industries with high reliance on privileged access management, such as finance, healthcare, government, and critical infrastructure, are particularly vulnerable. The rapid weaponization and inclusion in CISA’s KEV catalog underscore the urgency and scale of the threat. Failure to patch promptly could result in widespread breaches, operational downtime, regulatory penalties under GDPR for data breaches, and reputational damage.

1. Immediately identify and inventory all BeyondTrust Remote Support and Privileged Remote Access deployments within the organization. 2. Apply the official patches released by BeyondTrust: for Remote Support versions 21.3 to 25.3.1 and Privileged Remote Access versions 22.1 to 24.x. Upgrade PRA deployments to version 25.1 or later where feasible, as these versions are not vulnerable. 3. Restrict network access to BeyondTrust management interfaces using network segmentation and firewall rules, limiting exposure to trusted IPs only. 4. Monitor network traffic for suspicious WebSocket connections and unusual API calls, particularly those involving get_portal_info or extraction of x-ns-company headers. 5. Deploy endpoint detection and response (EDR) solutions to detect lateral movement tools like PSexec and unauthorized installation of remote management tools such as SimpleHelp. 6. Conduct Active Directory audit and hardening to detect and prevent unauthorized enumeration and privilege escalation. 7. Implement strict logging and alerting on privileged access management systems to detect anomalous behavior early. 8. Educate IT and security teams on the threat indicators and ensure incident response plans include scenarios involving BeyondTrust exploitation. 9. Consider deploying honeypots or deception technologies to detect early exploitation attempts. 10. Coordinate with European CERTs and share threat intelligence to stay updated on emerging exploitation tactics and indicators.