CVE-2026-1731 Explained: A Critical Pre-Authentication RCE in BeyondTrust
Published: February 6, 2026
Overview
CVE-2026-1731 is a critical security vulnerability affecting BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). The flaw allows an unauthenticated remote attacker to execute operating system commands by sending specially crafted requests, with no login required.
Because BeyondTrust products are often intentionally exposed to the internet and operate at a high-trust, high-privilege layer, this vulnerability represents a serious security risk for affected organizations.
What Is BeyondTrust and What Is It Used For?
BeyondTrust is a widely recognized enterprise security vendor specializing in:
- Privileged Access Management (PAM)
- Secure remote access
- Remote IT support and administration
The two products impacted by CVE-2026-1731 are core components of many enterprise environments.
BeyondTrust Remote Support (RS)
BeyondTrust Remote Support is commonly used by:
- IT help desks
- Managed Service Providers (MSPs)
- Enterprise support teams
Typical functionality includes:
- Remote screen sharing and system control
- Privilege elevation during support sessions
- File transfers and command execution
- Session monitoring and auditing
Remote Support portals are designed to be reachable from the internet, allowing technicians and users to connect from anywhere.
BeyondTrust Privileged Remote Access (PRA)
Privileged Remote Access is used by:
- System and network administrators
- Security and IAM teams
- Infrastructure and OT or ICS operators
Typical functionality includes:
- Secure remote access to servers and network devices
- Credential vaulting and session isolation
- Multi-factor authentication
- Full session recording and audit trails
PRA systems often act as a gateway to critical internal systems.
What Is CVE-2026-1731?
CVE-2026-1731 is a pre-authentication remote code execution vulnerability.
In practical terms:
- The attacker does not need valid credentials
- The attack is performed remotely over the network
- The attacker can execute operating system commands
By sending specially crafted requests to a vulnerable BeyondTrust RS or PRA instance, an attacker may execute commands in the context of the site user.
Why This Vulnerability Is Especially Dangerous
This vulnerability combines several high-risk characteristics:
- No authentication required
- Remote exploitation
- Direct command execution
- Affected systems are often internet-facing
- The software controls privileged access
If exploited, an attacker could:
- Take full control of the BeyondTrust appliance
- Steal credentials and active sessions
- Impersonate administrators
- Pivot into internal networks
- Bypass security controls such as MFA and auditing
This makes CVE-2026-1731 an incident-level vulnerability, not a routine patching issue.
Affected Versions
According to vendor advisories:
- BeyondTrust Remote Support is affected until patched versions are applied
- Only certain older versions of Privileged Remote Access are affected
Administrators should consult the official BeyondTrust security advisory to confirm exact version impact.
Recommendations and Mitigation Steps
Organizations using BeyondTrust RS or PRA should take the following actions immediately:
- Patch or upgrade to a fixed version provided by BeyondTrust
- Restrict internet exposure where possible using IP allowlists or VPN access
- Monitor logs for unusual pre-authentication requests or errors
- Review appliance integrity and configuration after patching
- Assume exposure if the system was reachable from the internet prior to remediation
Cloud-hosted BeyondTrust deployments are typically patched automatically, but self-hosted appliances require manual action.
Conclusion
CVE-2026-1731 is one of the most serious vulnerability classes possible: unauthenticated, remote code execution in a privileged access platform that is commonly exposed to the internet by design.
Organizations using BeyondTrust should treat this vulnerability with the highest priority and ensure remediation is completed without delay.