BeyondTrust Remote Support Pre-Authentication RCE Under

Executive Summary

A critical pre-authentication OS command injection vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is being actively exploited in the wild. Rated CVSS 9.9, attackers can achieve unauthenticated remote code execution via crafted HTTP requests. Exploitation began within 24 hours of Rapid7 publishing a proof-of-concept exploit on February 10.

CISA added CVE-2026-1731 to the Known Exploited Vulnerabilities (KEV) catalog on approximately February 13, 2026.

Vulnerability Details

Field	Details
CVE	CVE-2026-1731
CVSS	9.9 (Critical)
Type	Pre-authentication OS Command Injection
Vector	Crafted HTTP requests to management interface
Authentication	None required
Affected	Remote Support 25.3.1 and earlier, PRA 24.3.4 and earlier

Active Exploitation

Timeline

February 2: Cloud-hosted instances auto-patched by BeyondTrust
February 10: Rapid7 publishes proof-of-concept exploit
Within 24 hours: GreyNoise detects active exploitation attempts
February 13: CISA adds to KEV catalog with remediation deadline of February 16

Attack Methodology

Observed post-exploitation activity includes:

Deployment of SimpleHelp RMM tools for persistent remote access
Lateral movement across internal networks
Escalation to Domain Administrator privileges
Data exfiltration and ransomware preparation

Exposure

Metric	Count
Total exposed instances	~11,000
On-premises (potentially vulnerable)	~8,500
Cloud-hosted (auto-patched)	~2,500

Remediation

Immediate Actions

Patch immediately — update to BeyondTrust RS 25.3.2+ and PRA 24.3.5+
Check for compromise — review logs for unusual HTTP requests to management interface
Hunt for SimpleHelp — search for unauthorized RMM tool installations
Audit admin accounts — check for newly created privileged accounts

If Compromise Is Suspected

Isolate affected systems from the network
Reset all credentials associated with BeyondTrust infrastructure
Review Domain Admin account activity
Engage incident response resources

Detection

Monitor for:

Unusual HTTP POST requests to BeyondTrust management endpoints
SimpleHelp agent installations on endpoints
New administrative accounts created outside normal processes
Unexpected PowerShell execution on BeyondTrust servers

With roughly 8,500 potentially vulnerable on-premises instances exposed to the internet and active exploitation confirmed, organizations running self-hosted BeyondTrust must patch immediately.

Executive Summary

CISA added CVE-2026-1731 to the Known Exploited Vulnerabilities (KEV) catalog on approximately February 13, 2026.

Vulnerability Details

Field	Details
CVE	CVE-2026-1731
CVSS	9.9 (Critical)
Type	Pre-authentication OS Command Injection
Vector	Crafted HTTP requests to management interface
Authentication	None required
Affected	Remote Support 25.3.1 and earlier, PRA 24.3.4 and earlier

Active Exploitation

Timeline

February 2: Cloud-hosted instances auto-patched by BeyondTrust
February 10: Rapid7 publishes proof-of-concept exploit
Within 24 hours: GreyNoise detects active exploitation attempts
February 13: CISA adds to KEV catalog with remediation deadline of February 16

Attack Methodology

Observed post-exploitation activity includes:

Deployment of SimpleHelp RMM tools for persistent remote access
Lateral movement across internal networks
Escalation to Domain Administrator privileges
Data exfiltration and ransomware preparation

Exposure

Metric	Count
Total exposed instances	~11,000
On-premises (potentially vulnerable)	~8,500
Cloud-hosted (auto-patched)	~2,500

Remediation

Immediate Actions

Patch immediately — update to BeyondTrust RS 25.3.2+ and PRA 24.3.5+
Check for compromise — review logs for unusual HTTP requests to management interface
Hunt for SimpleHelp — search for unauthorized RMM tool installations
Audit admin accounts — check for newly created privileged accounts

If Compromise Is Suspected

Isolate affected systems from the network
Reset all credentials associated with BeyondTrust infrastructure
Review Domain Admin account activity
Engage incident response resources

Detection

Monitor for:

Unusual HTTP POST requests to BeyondTrust management endpoints
SimpleHelp agent installations on endpoints
New administrative accounts created outside normal processes
Unexpected PowerShell execution on BeyondTrust servers

With roughly 8,500 potentially vulnerable on-premises instances exposed to the internet and active exploitation confirmed, organizations running self-hosted BeyondTrust must patch immediately.

BeyondTrust Remote Support Pre-Authentication RCE Under

Affected Products

Executive Summary

Vulnerability Details

Active Exploitation

Timeline

Attack Methodology

Exposure

Remediation

Immediate Actions

If Compromise Is Suspected

Detection

BeyondTrust Remote Support and PRA Critical RCE Under

CVE-2025-53521: F5 BIG-IP APM Remote Code Execution — CISA KEV (CVSS 9.8)

CVE-2025-68613: n8n Remote Code Execution via Improper

BeyondTrust Remote Support Pre-Authentication RCE Under

Affected Products

Executive Summary

Vulnerability Details

Active Exploitation

Timeline

Attack Methodology

Exposure

Remediation

Immediate Actions

If Compromise Is Suspected

Detection

BeyondTrust Remote Support and PRA Critical RCE Under

CVE-2025-53521: F5 BIG-IP APM Remote Code Execution — CISA KEV (CVSS 9.8)

CVE-2025-68613: n8n Remote Code Execution via Improper

Affected Products

Executive Summary

Vulnerability Details

Active Exploitation

Timeline

Attack Methodology

Exposure

Remediation

Immediate Actions

If Compromise Is Suspected

Detection

Related Reading

Affected Products

Executive Summary

Vulnerability Details

Active Exploitation

Timeline

Attack Methodology

Exposure

Remediation

Immediate Actions

If Compromise Is Suspected

Detection

Related Reading