BeyondTrust warns of critical RCE flaw in remote support software

BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.

Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.

Threat actors with no privileges can exploit it through maliciously crafted client requests in low-complexity attacks that don’t require user interaction.

“Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user,” BeyondTrust noted. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven’t enabled automatic updates.

“Approximately 11,000 instances are exposed to the internet including both cloud and on-prem deployments,” the Hacktron team warned in a Friday report. “About ~8,500 of those are on-prem deployments which remain potentially vulnerable if patches aren’t applied.”

In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability that could also allow unauthenticated attackers to gain remote code execution.

Previous BeyondTrust flaws targeted as zero-days

While the company has yet to say whether attackers have exploited the recently patched CVE-2026-1731 vulnerability in the wild, other BeyondTrust RS/PRA security flaws have been targeted in recent years.

For instance, two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust’s systems using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686).

The U.S. Treasury Department revealed less than one month later that its network had been hacked in an incident later linked to the Silk Typhoon Chinese state-backed hacking group. Silk Typhoon is believed to have stolen unclassified information about potential sanctions actions and other similarly sensitive documents from the Treasury’s compromised BeyondTrust instance.

The Chinese cyberspies have also targeted the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks, and the Office of Foreign Assets Control (OFAC), which administers U.S. sanctions programs.

CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to secure their networks within a week.

BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of Fortune 100 companies worldwide. Remote Support is the company’s enterprise-grade remote support solution that helps IT support teams troubleshoot issues remotely, while Privileged Remote Access serves as a secure gateway that enforces authorization rules for specific systems and resources.

The future of IT infrastructure is here

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide