cbcvebase.
CVE-2026-1731
published 2026-02-06

CVE-2026-1731: BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-16
Exploited in the wild
EPSS
86.09%
99.7th percentile
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.

Affected

3 ranges
VendorProductVersion rangeFixed in
beyondtrustprivileged_remote_access< 25.125.1
beyondtrustremote_support< 25.3.225.3.2
beyondtrustremote_support_privileged_remote_access<= RS 25.3.1

Detection & IOCsextracted from sources · hover to see the quote

pathlinux/http/beyondtrust_pra_rs_command_injection
hash10fca076384a292f5e79bb6b92dbaefbf63ad025d5dae392007a993fb5391fca
hash91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c
hash1f6d651be8fc9332bfa01bdc0b1232457b8a657b509de523e83765673abda32b
  • CVE-2026-1731 is an unauthenticated command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). Exploitation delivers SparkRAT and VShell malware payloads.
  • The Metasploit exploit module for CVE-2026-1731 targets BeyondTrust PRA/RS via HTTP and performs unauthenticated command injection. Monitor for exploitation attempts against BeyondTrust web interfaces.
  • Post-exploitation activity following CVE-2026-1731 exploitation involves Bash and PowerShell scripting. Monitor for anomalous shell spawning from BeyondTrust PRA/RS processes.
  • ·The Metasploit module also introduces a new shared BeyondTrust helper library; existing BeyondTrust modules were ported to use it, meaning older module detections/signatures may need updating.
  • ·The Metasploit check method was improved to detect older vulnerable BeyondTrust versions that report version strings differently, meaning version-based detection alone may miss some vulnerable instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.