Full Report
AL26-003 - Vulnerability affecting BeyondTrust - CVE-2026-1731
Analysis Summary
# Vulnerability: BeyondTrust Pre-Authentication Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-1731
- **CVSS Score:** Not explicitly listed in text, but categorized as **High-Severity / Critical**
- **CWE:** CWE-78 (OS Command Injection)
## Affected Systems
- **Products:**
- BeyondTrust Remote Support (RS)
- BeyondTrust Privileged Remote Access (PRA)
- **Versions:**
- Remote Support: 25.3.1 and prior
- Privileged Remote Access: 24.3.4 and prior
- **Configurations:** Self-hosted instances are at highest risk; SaaS instances were patched automatically by the vendor.
## Vulnerability Description
CVE-2026-1731 is a critical pre-authentication remote code execution (RCE) vulnerability. It stems from the improper neutralization of special elements used in an OS command (OS Command Injection). This allows an unauthenticated remote attacker to execute arbitrary operating system commands in the context of the site user.
## Exploitation
- **Status:** **Exploited in the wild.** Open-source reporting indicates active reconnaissance and exploitation activity.
- **Complexity:** Not specified (typically Low for pre-auth RCE of this nature).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Unauthorized data access and exfiltration)
- **Integrity:** High (Execution of OS commands and system compromise)
- **Availability:** High (Potential for service disruption)
## Remediation
### Patches
BeyondTrust has released the following fixes:
- **Remote Support:**
- Upgrade to **v25.3.2** or greater.
- Specific patch **BT26-02-RS** available for versions v21.3 through 25.3.1.
- **Privileged Remote Access:**
- Upgrade to **v25.1** or greater.
- Specific patch **BT26-02-PRA** available for versions v22.1 through 24.X.
### Workarounds
If immediate patching is not possible:
- Restrict management interfaces using firewalls or IP allowlists.
- Remove externally exposed instances from the internet until they are patched.
- Ensure SaaS instances are confirmed as updated (BeyondTrust reported completion on Feb 2, 2026).
## Detection
- **Indicators of Compromise:** No specific hashes/IPs provided in this alert, but organizations are urged to monitor for unauthorized OS command execution patterns.
- **Detection methods and tools:**
- Review system and application logs for anomalies or unauthorized access.
- Monitor for network traffic originating from the BeyondTrust appliance to internal assets (lateral movement).
## References
- BeyondTrust Security Advisory: hxxps[://]www[.]beyondtrust[.]com/trust-center/security-advisories/bt26-02
- Canadian Centre for Cyber Security Alert: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/al26-003-vulnerability-affecting-beyondtrust-cve-2026-1731
- NVD CVE-2026-1731: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-1731
- GreyNoise Exploitation Trends: hxxps[://]www[.]greynoise[.]io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731