BeyondTrust’s Critical RCE Bug Hits the Wild – Patch Now or Pay Later
Threat actors are already hammering a fresh critical vulnerability in BeyondTrust’s Remote Support and Privileged Remote Access products, just days after patches dropped. CISA slapped it into their Known Exploited Vulnerabilities catalog, giving federal agencies a hard deadline of today to fix it.
Dive into the nitty-gritty: CVE-2026-1731 carries a CVSS score of 9.9, letting unauthenticated attackers fire off specially crafted requests to execute OS commands remotely—no login, no user interaction needed. BeyondTrust pushed fixes on February 6 after Hacktron spotted ~11,000 exposed instances, mostly on-prem in big sectors like healthcare, finance, and government. A PoC hit GitHub on February 10, and by the next day, GreyNoise clocks reconnaissance scans from a single IP doing 86% of the probing, using VPNs and Linux tools on non-standard ports. Arctic Wolf and watchTowr confirmed in-the-wild hits, with attackers extracting company info via get_portal_info, setting up WebSockets, and dropping tools like SimpleHelp RMM for persistence and lateral moves via PSexec and Impacket.
For developers, this is a wake-up call: if your org runs BeyondTrust RS or PRA—especially those 8,500+ on-prem boxes—you’re low-hanging fruit for full system compromise, data theft, or ransomware. These tools are goldmines for privilege escalation, and multi-tool scanners are chaining this with Log4j, SonicWall, and more. Unpatched? Expect breaches that nuke your repos, creds, and pipelines.
Bottom line: Patch immediately, scan your exposures, and rotate any compromised access. In 2026’s threat blitz, zero-days like this shrink your window to hours—don’t be the next headline.
