Threat Overview

On February 13, 2026, the security community was alerted to a critical vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) appliances. The flaw, identified as CVE-2026-1731, enables unauthenticated attackers to execute arbitrary operating‑system commands on vulnerable machines before any authentication occurs. With a CVSS v4 score of 9.9 and a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L, this vulnerability represents a near‑maximum threat to organizations that rely on BeyondTrust solutions for remote administration.

Technical Details

The vulnerability resides in the way RS and older versions of PRA process specially crafted client requests. By sending a malformed packet, an attacker can bypass authentication checks and leverage the underlying OS execution path. The affected components are the remote code execution (RCE) primitives exposed through the remote support protocol. The flaw is a classic example of CWE‑78 (OS Command Injection), where input is not properly sanitized before being passed to a system shell.

BeyondTrust has documented that the issue is present in RS versions 25.3.1 and earlier, and PRA versions 24.3.4 and earlier. The vulnerability was discovered by the Hacktron AI team using AI‑enabled variant analysis, illustrating the growing importance of advanced analytics in threat hunting.

Impact Assessment

Successful exploitation can lead to full system compromise. An attacker who gains the ability to run arbitrary commands can:

• Install backdoors for persistent access.
• Extract sensitive data from the affected host or connected network resources.
• Disrupt critical services, potentially causing downtime for business operations.

Because the flaw operates without authentication or user interaction, the attack surface is wide, particularly for self‑hosted deployments that are not automatically updated. Organizations that have not upgraded from the vulnerable baseline are at immediate risk.

Mitigation and Patch Guidance

BeyondTrust issued patch BT26-02 for all SaaS customers on February 2, 2026. Self‑hosted installations, however, must apply the patch manually if automatic updates are disabled. Advisory details:

• RS Patch BT26-02-RS (v21.3 – 25.3.1) resolves the issue.
• PRA Patch BT26-02-PRA (v22.1 – 24.X) addresses older versions.
• All PRA releases 25.1 and newer are unaffected; no patch is required.

Security analysts should verify that their environments meet the following criteria:

• RS version > 25.3.1 or patched with BT26-02-RS.
• PRA version > 24.3.4 or patched with BT26-02-PRA.
• Self‑hosted instances are subscribed to automatic updates, or administrators have applied the patch manually.

Recommendations for Security Teams

1. Asset Inventory: Confirm which RS and PRA versions are in use across the organization. Use configuration management or automated discovery tools to map installations.
2. Rapid Patch Deployment: Prioritize patching of all vulnerable instances. For self‑hosted deployments, enforce a policy that mandates manual patching on the release date or sooner.
3. Network Segmentation: Restrict direct internet access to RS and PRA appliances. Place them behind firewalls and limit inbound traffic to known management IP ranges.
4. Runtime Monitoring: Deploy host‑based intrusion detection systems (HIDS) that can flag unexpected command execution or unauthorized process creation. Correlate logs with known indicators of exploitation such as unusual payloads or failed authentication attempts.
5. Incident Response Planning: Update playbooks to include containment steps for remote code execution via RS/PRA. Define clear escalation paths and communication channels for affected stakeholders.
6. Security Awareness: Educate administrators about the risks of running outdated remote support tools. Emphasize the importance of timely patch management and configuration hardening.

Conclusion

BeyondTrust Remote Support and Privileged Remote Access vulnerabilities pose a severe threat to any organization that relies on these tools for remote administration. The high severity score, coupled with the pre‑authentication nature of the flaw, demands immediate action. By following the mitigation steps and recommendations outlined above, security analysts can reduce the attack surface, ensure compliance with best practices, and safeguard critical infrastructure from potential exploitation.