Advisory: CVE-2026-1731 – Critical Pre-Auth RCE in BeyondTrust RS & PRA
Advisory: CVE-2026-1731 – Critical Pre-Auth RCE in BeyondTrust RS & PRA
Summary
CVE-2026-1731 is a critical pre-auth remote code execution (RCE) vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The vulnerability allows an unauthenticated attacker to execute arbitrary OS commands by sending specially crafted requests to the vulnerable portal, without any user interaction. Active exploitation has been observed in the wild shortly after PoC publication.
Affected Systems and/or Applications
- BeyondTrust Remote Support (RS): versions 25.3.1 and older
- BeyondTrust Privileged Remote Access (PRA): versions 24.3.4 and older
- Deployment Models: Self-hosted instances are at highest risk; SaaS instances were automatically patched as of February 2, 2026
- Exposure: Portals accessible from the Internet are especially vulnerable
Technical Details
Vulnerability Mechanism
The vulnerability allows attackers to execute OS commands in the context of a "site user" by sending specially crafted requests to the portal. Consequences include full system compromise, data exfiltration, and service disruption.
Observed Exploitation Path
- Attackers query the
/get_portal_infoendpoint to obtain theX-Ns-Companyidentifier. - A WebSocket channel is established using the retrieved identifier.
- Arbitrary commands are executed on the vulnerable system via this channel.
Key Points
- Exploitation does not require authentication.
- Attackers can leverage the vulnerability as a pivot point to access other systems managed via RS/PRA.
- Detection is challenging: failed login alerts are ineffective; focus should be on HTTP/WebSocket logs and host telemetry.
Mitigation
CVE-2026-1731 represents a critical patching crisis. Self-hosted instances of BeyondTrust RS/PRA exposed to the Internet are at immediate risk and should be patched without delay. Organizations must assume possible compromise if the portal was exposed prior to patching.
Immediate Actions for Self-Hosted Instances
Limit Exposure - Restrict portal access with IP allowlists, VPN, or geoblocking.
- Temporarily take the portal offline if business operations allow.
Patch/Upgrade - Apply BeyondTrust-provided updates immediately.
- For older versions, perform required upgrades to supported versions before applying patches.
- Verify auto-update functionality; self-hosted appliances may not update automatically.
Threat Hunting - Monitor /get_portal_info requests followed by WebSocket activity.
- Look for anomalous traffic from unknown ASNs or countries.
- Check hosts for unusual processes, new shell execution, scheduled tasks, or modified binaries/services.
Assume Breach if Unpatched - Perform forensic triage: collect logs, disk images, EDR artifacts.
- Rotate secrets, review service accounts, and inspect appliance configurations.
For SaaS Customers
No action required; BeyondTrust reports that SaaS instances have been automatically patched.
What the Cyber Fusion Center is Doing
The CFC is monitoring the situation and this advisory will be updated if required, or when more information is made available.
References
- BleepingComputer: Critical BeyondTrust RCE flaw now exploited
- BeyondTrust Security Advisory BT26-02
- CCB Belgium Advisory on RCE in BeyondTrust
.webp)
