{"id":43817,"date":"2026-02-21T01:48:24","date_gmt":"2026-02-20T17:48:24","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/21\/cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks\/"},"modified":"2026-02-21T01:48:24","modified_gmt":"2026-02-20T17:48:24","slug":"cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/21\/cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks\/","title":{"rendered":"CISA: BeyondTrust RCE flaw now exploited in ransomware attacks"},"content":{"rendered":"\n

\"CISA:<\/p>\n

Hackers are actively exploiting the CVE-2026-1731 vulnerability in the BeyondTrust Remote Support product, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns.<\/p>\n

The security issue affects BeyondTrust’s Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier, and can be exploited for remote code execution.<\/p>\n

CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on February 13<\/a> and gave federal agencies just three days to apply the patch or stop using the product.<\/p>\n

\"CISA:<\/a> <\/div>\n

BeyondTrust initially disclosed<\/a> CVE-2026-1731 on February 6. The security advisory<\/a> classified it as a pre-authentication remote code execution vulnerability caused by an OS command injection weakness, exploitable via specially crafted client requests sent to vulnerable endpoints.<\/p>\n

Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after, and in-the-wild exploitation<\/a> started almost immediately.<\/p>\n

On February 13, BeyondTrust updated the bulletin  to say that exploitation had been detected on January 31, making CVE-2026-1731 a zero-day vulnerability for at least a week.<\/p>\n

BeyondTrust states that the report from researcher Harsh Jaiswal and the Hacktron AI team<\/a> confirmed the anomalous activity that they detected on a single Remote Support appliance at the time.<\/p>\n

CISA has now activated the ‘Known To Be Used in Ransomware Campaigns?’ indicator in the KEV catalog.<\/p>\n

For customers of the cloud-based application (SaaS), the vendor states the patch was applied automatically on February 2, so no manual intervention is needed.<\/p>\n

Customers of the self-hosted instances need to either enable automatic updates and verify that the patch was applied via the ‘\/appliance’ interface or manually install it.<\/p>\n

For Remote Support, the recommendation is to install version 25.3.2. Privileged Remote Access users should switch to version 25.1.1 or newer.<\/p>\n

Those still at RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.<\/p>\n