CVE-2026-1731
📛 CVE Title
Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)
Description
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- BT
- CVSS severity
- CRITICAL
- CVSS score
- 9.9 / 10
- CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L- Effective score
- 9.9 / 10 CRITICAL source: CNA overview
- CWE(s)
-
CWE-78 - Reserved
- 2026-01-31
- Published
- 2026-02-06 21:49 UTC
- Last updated
- 2026-02-26 15:04 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/1xxx/CVE-2026-1731.json
- Linked Threat
- CVE-2026-1731 — BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA): BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
CISA Known Exploited Vulnerabilities CISA KEV
CISA has confirmed in-the-wild exploitation of this CVE. Federal agencies must remediate by the due date below; private orgs should treat it as priority-1.
- Vulnerability name
- BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
- Vendor / project
- BeyondTrust
- Product
- Remote Support (RS) and Privileged Remote Access (PRA)
- Date added to KEV
- 2026-02-13
- Remediation due
- 2026-02-16
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Ransomware campaign use
- Known
- CISA notes
- Please adhere to the vendor's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible BeyondTrust products affected by this vulnerability. For more information please: see: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 ; https://nvd.nist.gov/vuln/detail/CVE-2026-1731
- CISA listing
- www.cisa.gov/known-exploited-vulnerabilities-catalog
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2026-02-06 22:16:11 UTC
- NVD last modified
- 2026-02-17 13:40:10 UTC
- NVD CVSS v3.1
- 9.8 / 10 CRITICAL source: nvd@nist.gov
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Exploitability subscore
- 3.9 / 10
- Impact subscore
- 5.9 / 10
- EPSS score
- 0.8006 (probability of exploitation in next 30 days)
- EPSS percentile
- 99.13% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24
NVD / KEV / EPSS data refreshed 2026-05-25 04:24 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2026-5559 - Assigner
- BT
- Published
- Feb 6, 2026, 9:49:20 PM
- Updated
- Feb 26, 2026, 3:04:15 PM
- EUVD base score (CVSS 4.0)
-
9.9 / 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L - EUVD-reported EPSS
- 80.0700
- Vendors
- BeyondTrust
- Products
-
Remote Support(RS) & Privileged Remote Access(PRA) (0 ≤RS 25.3.1)Remote Support(RS) & Privileged Remote Access(PRA) (0 ≤PRA 24.3.4)
- Aliases
-
GHSA-p5wr-5p37-2wm6
ENISA description: BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| BeyondTrust | Remote Support(RS) & Privileged Remote Access(PRA) |
0 (affected),
0 (affected)
|
— |
Affected products — CPE 2.3 (2) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:beyondtrust:privileged_remote_access:*:*:*:*:*:*:*:*cpe:2.3:a:beyondtrust:remote_support:*:*:*:*:*:*:*:*
Remediations (9)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:www.rapid7.com
On February 13, 2026 , CVE-2026-1731 , was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. Mitigation guidance A vendor-provided patch is available to remediate CVE-2026-1731 in on-premise deployments. BeyondTrust Remote Support ...
2026-05-14 16:20 UTC -
web:nvd.nist.gov
An official website of the United States government Here's how you know
2026-05-14 16:20 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-14 16:20 UTC -
web:securityaffairs.com
BeyondTrust released patches for CVE-2026-1731 on February 6 after Hacktron researchers warned that about thousands of instances were exposed online. Hacktron AI team reported that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments.
2026-05-14 16:20 UTC -
web:www.bleepingcomputer.com
Today is Microsoft's March 2026 Patch Tuesday with security updates for 79 flaws, including 2 publicly disclosed zero-day vulnerabilities.
2026-05-14 16:20 UTC -
web:cybersecuritynews.com
Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.
2026-05-14 16:20 UTC -
web:www.cve.org
Vulnerability detail for CVE-2026-1731 Notice: Expanded keyword searching of CVE Records (with limitations) is now available in the search box above. Learn more here.
2026-05-14 16:20 UTC -
web:www.malwarebytes.com
May's Patch Tuesday may not be the giant release many expected, but there are still plenty of important fixes that shouldn't be ignored.
2026-05-14 16:20 UTC -
CISA KEV
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-02-16 Known ransomware campaign use: Known
2026-05-14 01:13 UTC
Vendor references (2)
References embedded in the original CVE record by the assigning CNA.
Web references (5)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- http://cwe.mitre.org/data/definitions/78.html rapid7:cwe.mitre.org
- https://attackerkb.com/topics/CVE-2026-1731 rapid7:attackerkb.com
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-5559 rapid7:euvd.enisa.europa.eu
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 rapid7:www.beyondtrust.com
- https://www.cve.org/CVERecord?id=CVE-2026-1731 rapid7:www.cve.org
NVD-tagged references (5)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 13061848-ea10-403d-bd75-c83a022c2891 Permissions Required
- https://github.com/win3zz/CVE-2026-1731 134c704f-9b21-4f2e-91b3-4a467353bcc0 ExploitThird Party Advisory
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 13061848-ea10-403d-bd75-c83a022c2891 Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731 134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731 134c704f-9b21-4f2e-91b3-4a467353bcc0 Third Party Advisory
Indicators (2)
IOCs linked to the auto-promoted Threat row.
| Type | Value | VirusTotal | Attached |
|---|---|---|---|
| cwe |
CWE-78
|
no local data | 2026-05-14 02:58 UTC |
| cve |
CVE-2026-1731
|
no local data | 2026-05-14 02:58 UTC |
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-1731.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1731",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-14T04:55:25.328322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-02-13",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:15.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/win3zz/CVE-2026-1731"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T00:00:00.000Z",
"value": "CVE-2026-1731 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Remote Support(RS) & Privileged Remote Access(PRA)",
"vendor": "BeyondTrust",
"versions": [
{
"lessThanOrEqual": "RS 25.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "PRA 24.3.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "<span style=\"background-color: rgb(255, 255, 255);\">BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><br>"
}
],
"value": "BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T21:49:20.844Z",
"orgId": "13061848-ea10-403d-bd75-c83a022c2891",
"shortName": "BT"
},
"references": [
{
"url": "https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293"
},
{
"url": "https://www.beyondtrust.com/trust-center/security-advisories/bt26-02"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "13061848-ea10-403d-bd75-c83a022c2891",
"assignerShortName": "BT",
"cveId": "CVE-2026-1731",
"datePublished": "2026-02-06T21:49:20.844Z",
"dateReserved": "2026-01-31T23:54:56.922Z",
"dateUpdated": "2026-02-26T15:04:15.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}