Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on Friday to secure their BeyondTrust Remote Support instances against an actively exploited vulnerability within three days. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including government agencies and 75% of Fortune 100 companies worldwide. Tracked as CVE-2026-1731, this remote code…
Analysis Summary
# Vulnerability: BeyondTrust Remote Support and PRA OS Command Injection
## CVE Details
- **CVE ID:** CVE-2026-1731
- **CVSS Score:** Not explicitly listed (Severity: High/Critical indicated by CISA action)
- **CWE:** CWE-78 (OS Command Injection)
## Affected Systems
- **Products:**
- BeyondTrust Remote Support
- BeyondTrust Privileged Remote Access (PRA)
- **Versions:**
- Remote Support: 25.3.1 and earlier
- Privileged Remote Access: 24.3.4 and earlier
- **Configurations:** Systems exposed to the network/internet providing identity and remote access services.
## Vulnerability Description
CVE-2026-1731 is a Remote Code Execution (RCE) vulnerability that stems from an OS command injection weakness. The flaw allows an attacker to bypass security controls and execute arbitrary commands on the underlying operating system of the affected BeyondTrust appliance. Given the nature of these products, successful exploitation typically grants the attacker highly privileged access to the target network.
## Exploitation
- **Status:** Actively exploited in the wild (Confirmed by CISA)
- **Complexity:** Not specified (Typically Low for Command Injection)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
BeyondTrust has released security updates to address this flaw. Administrators should upgrade to the following versions or later:
- **BeyondTrust Remote Support:** Update to versions newer than 25.3.1
- **BeyondTrust Privileged Remote Access:** Update to versions newer than 24.3.4
### Workarounds
No specific official workarounds were provided in the article. Immediate patching is the primary recommendation due to the confirmed active exploitation.
## Detection
- **Indicators of Compromise:** Look for unusual outbound network traffic from BeyondTrust appliances, unauthorized administrative user creation, or suspicious shell command history in system logs.
- **Detection methods and tools:** CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Organizations should use vulnerability scanners updated with the latest CVE-2026-1731 definitions to identify exposed instances. Federal agencies are mandated to remediate within three days.
## References
- **Vendor Advisory:** hxxps://www[.]beyondtrust[.]com/ (Search for security advisories related to CVE-2026-1731)
- **CISA KEV Catalog:** hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Source Article:** hxxps://threatbeat[.]com/cisa-gives-feds-3-days-to-patch-actively-exploited-beyondtrust-flaw/
- **Original Reporting:** hxxps://www[.]bleepingcomputer[.]com/news/security/cisa-orders-feds-to-patch-beyondtrust-flaw-within-three-days/amp/