External risk intelligence

BeyondTrust Remote Support OS Command Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2026-1731

A critical vulnerability in BeyondTrust Remote Support and Privileged Remote Access allows unauthenticated attackers to execute operating system commands, posing a significant business risk including unauthorized access and service disruption.

5Halo Surface Signal

OS Command Injection

Beyondtrust Privileged Remote Access

before 25.1before 25.3.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-1731

This product is an internet-facing remote access and support gateway designed to be accessible from the public internet to facilitate remote connectivity and management.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

BeyondTrust Remote Support and certain versions of Privileged Remote Access are impacted by a critical vulnerability. This flaw permits unauthenticated attackers to execute operating system commands on affected systems. Such unauthorized command execution can lead to significant business risks, including unauthorized access to sensitive data and disruption of services.

  • Vulnerable BeyondTrust Remote Support/Access
  • Flaw allows unauthenticated command execution
  • Potential for data theft or service disruption

Attack Path

How an attacker could exploit the issue

The vulnerability allows an unauthenticated attacker to execute operating system commands. This could impact the confidentiality, integrity, and availability of systems. The attacker can gain unauthorized access to sensitive data and disrupt business operations. The attack leverages the product's network accessibility to achieve unauthorized command execution.

  • The product is exposed to the network.
  • An attacker sends crafted requests.
  • Operating system commands are executed.

Live Threat

Current exploitation, exposure, and threat context

The BeyondTrust Remote Support and Privileged Remote Access products contain a critical vulnerability that could allow unauthorized attackers to execute operating system commands. Attackers could leverage this by sending specially crafted requests, potentially leading to unauthorized access, data theft, or service disruption. The risk and urgency are high due to the potential for significant business impact.

  • Low attacker skill level required.
  • No authentication or access needed.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in BeyondTrust Remote Support and Privileged Remote Access allows unauthenticated attackers to execute operating system commands. Successful exploitation could enable unauthorized access, data exfiltration, and service disruption for affected organizations. The potential impact on business operations and data integrity necessitates a prompt and structured response.

  • Identify all exposed assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is BeyondTrust Remote Support and Privileged Remote Access?

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) are software solutions designed to provide secure remote access and support capabilities. They are typically used by IT professionals to manage and troubleshoot systems remotely, enabling them to assist users or maintain servers without being physically present.

What is CVE-2026-1731 and what type of weakness is it?

CVE-2026-1731 is a critical vulnerability in BeyondTrust RS and PRA. It's classified as an OS command injection weakness (CWE-78), meaning an attacker can trick the software into executing arbitrary operating system commands.

How can an attacker exploit this BeyondTrust vulnerability?

An attacker can exploit this vulnerability by sending specially crafted requests to the affected software. No authentication or user interaction is required, and the attacker aims to execute operating system commands on the system running the software.

Who should be concerned about this CVE, considering its network exposure?

Organizations using BeyondTrust Remote Support or Privileged Remote Access should be concerned, especially if these products are internet-facing. The Halo Surface Signal indicates a very likely exposure because these tools are designed for remote access and are often accessible from the public internet.

What is the first step to address this CVE in BeyondTrust software?

The immediate first step is to identify all systems running the affected versions of BeyondTrust Remote Support or Privileged Remote Access. After identification, assess their exposure and take actions to reduce or isolate any identified risks.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified