BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.

Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.

Threat actors with no privileges can exploit it through maliciously crafted client requests in low-complexity attacks that don’t require user interaction.

“Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user,” BeyondTrust noted. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven’t enabled automatic updates.

“Approximately 11,000 instances are exposed to the internet including both cloud and on-prem deployments,” the Hacktron team warned in a Friday report. “About ~8,500 of those are on-prem deployments which remain potentially vulnerable if patches aren’t applied.”

In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability that could also allow unauthenticated attackers to gain remote code execution.

After publishing this story, BeyondTrust told BleepingComputer that there is no known active exploitation of CVE-2026-1731 at this time.

Previous BeyondTrust flaws targeted as zero-days

While BeyondTrust says the CVE-2026-1731 vulnerability has not been targeted in the wild, threat actors have exploited other BeyondTrust RS/PRA security flaws in recent years.

For instance, two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust’s systems using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686).

The U.S. Treasury Department revealed less than one month later that its network had been hacked in an incident later linked to the Silk Typhoon Chinese state-backed hacking group. Silk Typhoon is believed to have stolen unclassified information about potential sanctions actions and other similarly sensitive documents from the Treasury’s compromised BeyondTrust instance.

The Chinese cyberspies have also targeted the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks, and the Office of Foreign Assets Control (OFAC), which administers U.S. sanctions programs.

CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to secure their networks within a week.

BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of Fortune 100 companies worldwide. Remote Support is the company’s enterprise-grade remote support solution that helps IT support teams troubleshoot issues remotely, while Privileged Remote Access serves as a secure gateway that enforces authorization rules for specific systems and resources.