Pre-Authentication RCE Bug in BeyondTrust RS and PRA

Published Date: February 9, 2026
Category: ShadowOpsIntel
Share:

BeyondTrust disclosed a critical pre-authentication remote code execution (RCE) vulnerability affecting Remote Support (RS) and older versions of Privileged Remote Access (PRA). The flaw allows an unauthenticated remote attacker to execute arbitrary operating system commands by sending specially crafted requests. No user interaction is required, and successful exploitation can lead to full system compromise.

Severity: Critical

Vulnerability Details

  • CVE ID: CVE-2026-1731
  • CVSS Score: 9.9
  • Type: pre-authentication remote code execution
  • Description: The vulnerability exists in the request handling logic of BeyondTrust Remote Support and certain older versions of Privileged Remote Access. By sending specially crafted client requests, an attacker can exploit insufficient input validation, resulting in arbitrary operating system command execution.

Affected Products

  • Remote Support versions 25.3.1 and earlier
  • Privileged Remote Access versions 24.3.4 and earlier

Impact

Successful exploitation may result in:

  • Full system compromise
  • Unauthorized access to sensitive systems and credentials
  • Data exfiltration
  • Service disruption or complete takeover of the access management platform

Given the role of RS and PRA in managing privileged access, compromise could enable lateral movement across enterprise environments and downstream system access.

Recommendations

  1. Immediately restrict external access to RS/PRA interfaces until patched; monitor for anomalous pre-auth requests.
  2. Upgrade to fixed versions (RS ≥ 25.3.2, PRA ≥ 25.1.1) without delay.
    NOTE: BeyondTrust confirmed that SaaS customers were automatically patched as of February 2, 2026, while self-hosted customers must manually upgrade or apply patches .
  3. Enable and verify automatic updates in the BeyondTrust appliance interface.
  4. Review logs for suspicious unauthenticated requests or unexpected command execution.
  5. Treat unpatched, internet-facing instances as potentially compromised and perform forensic review.

Source:

  • https://www.beyondtrust.com/trust-center/security-advisories/bt26-02

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert