CVE-2026-1731

Name of the Vulnerable Software and Affected Versions BeyondTrust Remote Support versions prior to 25.3.2 and Privileged Remote Access versions prior to 25.1.1

Description BeyondTrust Remote Support and Privileged Remote Access software contain a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731). This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. The vulnerability stems from a flaw in the handling of HTTP requests, specifically within the “thin-scc-wrapper” component. Attackers can exploit this flaw by sending specially crafted requests, enabling them to gain control of the system without needing to log in. Active exploitation of this vulnerability has been observed, with attackers deploying web shells, backdoors (such as VShell and SparkRAT), and staging data for exfiltration. The vulnerability has a CVSS score of 9.9, indicating its critical severity. Approximately 11,000 instances are estimated to be exposed, with a significant number being on-premises deployments. Exploitation has been linked to ransomware campaigns and has been observed across multiple sectors, including finance, healthcare, legal, and technology.

Recommendations BeyondTrust Remote Support versions prior to 25.3.2: Upgrade to version 25.3.2 or later. BeyondTrust Privileged Remote Access versions prior to 25.1.1: Upgrade to version 25.1.1 or later. For older versions, upgrade to a more recent version before applying the security patch. If unable to patch immediately, restrict external access to affected systems. Monitor systems for any signs of compromise, including suspicious network activity and unauthorized file modifications.