The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation.
The flaw affects BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) and carries a CVSS v4 score of 9.9.
According to BeyondTrust’s advisory (BT26-02), the vulnerability is a pre-authentication operating system command injection that allows for Remote Code Execution (RCE) without need for credentials or user interaction.
Successful exploitation allows an attacker to run arbitrary commands. This technique can also enable data exfiltration, lateral movement, and service disruption.
CISA confirmed the addition to the KEV catalog under Binding Operational Directive 22-01, which mandates remediation by Federal Civilian Executive Branch agencies. While the directive applies to federal agencies, CISA urges all organizations to patch KEV-listed vulnerabilities as soon as possible.
Proof-Of-Concept To Recon In Less Than One Day
A Proof-of-Concept (PoC) exploit for CVE-2026-1731 was posted to GitHub on Feb. 10, 2026. Within 24 hours, researchers at GreyNoise observed reconnaissance activity targeting vulnerable BeyondTrust instances.
In a Feb. 12 analysis, GreyNoise reported that one IP address accounted for 86% of observed reconnaissance traffic. The scanning infrastructure appeared to use VPN tunneling and custom tooling, and targeted both standard port 443 and non-standard ports, suggesting attackers are anticipating security-through-obscurity deployments.
Glenn Thorpe, Senior Researcher at GreyNoise, wrote that the vulnerability follows a “predictable but dangerous pattern: critical disclosure, rapid PoC, and immediate reconnaissance.” He noted similarities to CVE-2024-12356, a related BeyondTrust flaw reportedly exploited by the Silk Typhoon group in connection with a US Treasury breach in 2024.
BeyondTrust automatically patched SaaS customers on Feb. 2, 2026. Self-hosted customers must update manually to RS 25.3.2+ or PRA 25.1.1+, or apply vendor-issued patches. Exploitation has so far been limited to internet-facing, unpatched self-hosted environments.
