Published: February 09, 20262 min read

BeyondTrust Patches Critical Pre-Auth RCE Vulnerability Found by AI

BeyondTrust patches a critical pre-authentication RCE flaw discovered by AI that could let attackers run commands on 11,000 exposed remote access systems.

By Secure.com
BeyondTrust Patches Critical Pre-Auth RCE Vulnerability Found by AI

Introduction

BeyondTrust released emergency patches on February 6, 2026, for a critical pre-authentication remote code execution vulnerability in its Remote Support and Privileged Remote Access products.

The flaw, tracked as CVE-2026-1731 and rated 9.9 out of 10, lets unauthenticated attackers execute operating system commands by sending specially crafted requests.

Security researchers discovered roughly 11,000 vulnerable instances exposed to the internet, with about 8,500 on-premises deployments still at risk if patches aren't applied.

What Happened?

Harsh Jaiswal and the Hacktron AI team discovered CVE-2026-1731 on January 31, 2026, using AI-enabled variant analysis. The vulnerability is an operating system command injection flaw (CWE-78) that requires no authentication or user interaction to exploit.

According to BeyondTrust's security advisory, attackers can send malicious requests to vulnerable systems and execute commands in the context of the site user. This means full unauthorized access to the server, data theft, and service disruption.

BeyondTrust automatically patched all Remote Support SaaS and Privileged Remote Access SaaS customers on February 2, 2026. Self-hosted customers must manually apply patches through their /appliance interface.

Affected versions:

  • Remote Support: All versions before 25.3.2
  • Privileged Remote Access: Older versions (specific version numbers not disclosed)

Customers running Remote Support versions older than 21.3 or PRA versions older than 22.1 must upgrade to a supported version before applying the security patch.

What's the Impact?

BeyondTrust serves over 20,000 customers globally, including 75 of the Fortune 100 companies. Its Remote Support and Privileged Remote Access products manage privileged access across enterprise environments, making them high-value targets for attackers.

Successful exploitation could result in:

  • Complete system compromise — Attackers gain full control without credentials
  • Data exfiltration — Access to privileged credentials, sensitive business data, and customer information
  • Lateral movement — Using compromised remote access systems as a launching point for broader network attacks
  • Service disruption — Shutting down critical remote support infrastructure

BeyondTrust has a history of being targeted. In December 2024, attackers exploited two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in the same products to breach BeyondTrust's own systems. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19, 2024, ordering federal agencies to patch within seven days.

Security researcher Jaiswal noted that approximately 8,500 of the 11,000 exposed instances are on-premises deployments, which remain vulnerable until organizations manually apply patches. The remaining 2,500 cloud-hosted instances received automatic patches.

How to Avoid This

Organizations using BeyondTrust Remote Support or Privileged Remote Access should take immediate action:

Patch immediately. Self-hosted customers should apply patch BT26-02-RS (for Remote Support) or BT26-02-PRA (for Privileged Remote Access) through the /appliance interface. Remote Support users should upgrade to version 25.3.2 or later.

Check your version. If you're running Remote Support versions older than 21.3 or PRA versions older than 22.1, upgrade to a supported version before applying the security patch.

Verify cloud customers. If you're using SaaS versions, confirm your instance was auto-patched on February 2, 2026.

Restrict network access. Limit access to Remote Support and PRA systems by IP address, force VPN access, or place them behind multi-factor authentication.

Enable full logging. Turn on audit trails and SIEM alerts for suspicious activity on remote support systems.

Review privileged accounts. Check for unauthorized access attempts or unusual session activity during the vulnerability window (before February 2, 2026).

BeyondTrust has not confirmed active exploitation of CVE-2026-1731, but given the company's history of being targeted and the severity of the flaw, security teams should treat patching as urgent.

Similar Blogs

Understanding SIEM Detection Failures: Causes and Solutions for Effective Threat Detection
Published: February 13, 2026

Understanding SIEM Detection Failures: Causes and Solutions for Effective Threat Detection

Half of all SIEM detection failures stem from log collection problems—here's how to fix them and improve your threat detection.

Read More →
Incident Response Life Cycle: Phases and Best Practices
Published: February 13, 2026

Incident Response Life Cycle: Phases and Best Practices

Learn the four phases of the incident response life cycle and discover proven best practices that help security teams detect, contain, and recover from cyber threats faster.

Read More →
Palo Alto Networks Patches Two PAN-OS Flaws That Can Force Firewalls Into Reboot Loops
Published: February 13, 2026

Palo Alto Networks Patches Two PAN-OS Flaws That Can Force Firewalls Into Reboot Loops

Palo Alto Networks has patched two denial-of-service vulnerabilities in PAN-OS that let unauthenticated attackers knock firewalls offline — no credentials required.

Read More →