BeyondTrust’s Critical RCE Flaw CVE-2026-1731 Is Getting Hammered by Hackers—Patch Now!
US CISA just added a brutal pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and older Privileged Remote Access (PRA) products to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2026-1731 with a perfect storm CVSS score of 9.9, this bug lets unauthenticated attackers fire off specially crafted requests to run OS commands remotely—no login required.
BeyondTrust dropped patches on February 6 after researchers spotted thousands of exposed instances online, with about 11,000 total deployments vulnerable, including 8,500 on-prem systems hitting big sectors like healthcare, finance, government, and hospitality. A proof-of-concept exploit hit GitHub on February 10, and by February 11, GreyNoise was lighting up with reconnaissance scans from a single IP doing 86% of the probing, using VPNs and Linux tools to hunt non-standard ports.
These same IPs are multi-tasking, slamming SonicWall, MOVEit, Log4j, Sophos firewalls, SSH brute-forces, and IoT weak creds—some even dropping OAST callbacks to confirm vulns before payload drops. CISA’s BOD 22-01 mandates federal agencies patch by February 16, and private orgs should jump on it too, as exploitation is live and this could chain into zero-days for full compromise.
As a developer, this screams at you: if your team’s using BeyondTrust for remote access—and stats say enterprises love it—unpatched boxes are sitting ducks for RCE leading to data theft, disruption, or worse. It underscores why you audit third-party tools religiously, rotate creds, and automate patching; one lazy deploy could nuke your prod env while threat actors treat it like a playground.
Bottom line: Grab those February 6 patches yesterday, scan your perimeter, and harden those remote support sessions—2026’s off to a wild start in cyber, and this one’s a wake-up call no dev can ignore.
