About:
CVE-2026-1731 is a critical pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and certain versions of Privileged Remote Access (PRA). The flaw allows an unauthenticated attacker to send specially crafted requests to vulnerable endpoints, resulting in execution of operating system commands in the context of the BeyondTrust application service account. Successful exploitation could lead to full compromise of remote access infrastructure and downstream privileged sessions.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Pre-Authentication Remote Code Execution in BeyondTrust Remote Support and Privileged Remote Access
CVSS Score: 9.9 (Critical)
Identifier: CVE-2026-1731
Exploit or POC: As of public advisories and vendor reporting, there is no confirmed evidence of widespread in-the-wild exploitation at the time of disclosure.
Update:
BeyondTrust has released fixes and mitigation guidance in security advisory BT26-02.
Official advisory and patch guidance:
Affected products and versions include:
BeyondTrust Remote Support (RS) 25.3.1 and earlier
BeyondTrust Privileged Remote Access (PRA) 24.3.4 and earlier
Important remediation notes:
SaaS customers were patched by BeyondTrust automatically.
Self-hosted deployments must manually apply the patch or upgrade.
Customers running RS versions older than 21.3 or PRA versions older than 22.1 must upgrade to a supported version before applying the fix.
PRA version 25.1 and later are not affected.
Description:
CVE-2026-1731 is a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and certain versions of Privileged Remote Access. An unauthenticated attacker can send crafted requests to vulnerable endpoints to execute operating system commands in the context of the BeyondTrust application service account.
Mitigation Recommendation:
Immediately apply the BeyondTrust patches referenced in advisory BT26-02 or upgrade to a non-affected supported version.
If using BeyondTrust SaaS, confirm with the vendor that remediation has been applied and review post-patch guidance.
Restrict network access to BeyondTrust RS and PRA interfaces to trusted administrative networks only; remove direct internet exposure where possible.