AL26-003 - Vulnerability affecting BeyondTrust - CVE-2026-1731
A critical pre-authentication remote code execution vulnerability (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute arbitrary OS commands, necessitating immediate patching or isolation of self-hosted instances.
Authors: Canadian Centre for Cyber Security
Key Takeaways
- A critical pre-authentication remote code execution vulnerability (CVE-2026-1731) affects BeyondTrust Remote Support and Privileged Remote Access.
- The vulnerability allows unauthenticated attackers to execute OS commands, potentially leading to full system compromise.
- Active exploitation in the wild has been observed according to open-source reporting.
- SaaS instances were automatically patched by February 2, 2026, but self-hosted instances require immediate manual patching or isolation.
Affected Systems
- BeyondTrust Remote Support (RS) versions 25.3.1 and prior
- BeyondTrust Privileged Remote Access (PRA) versions 24.3.4 and prior
Vulnerabilities (CVEs)
- CVE-2026-1731
Attack Chain
An unauthenticated remote attacker targets a vulnerable BeyondTrust Remote Support or Privileged Remote Access instance. By exploiting CVE-2026-1731, the attacker injects and executes arbitrary Operating System commands in the context of the site user. This initial access can then be leveraged for further system compromise, unauthorized access, data exfiltration, and service disruption.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the alert.
Detection Engineering Assessment
EDR Visibility: Medium — EDR visibility depends on the ability to install agents on the BeyondTrust appliance; if supported, post-exploitation OS command execution would be highly visible. Network Visibility: Medium — Network monitoring could detect anomalous inbound requests to the appliance or unexpected outbound connections indicating exfiltration or C2. Detection Difficulty: Moderate — Detecting the initial exploit payload may be difficult without specific network signatures, but post-exploitation OS command execution should be visible if appliance logging is forwarded to a SIEM.
Required Log Sources
- Web Application Logs
- System Event Logs
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected child processes (e.g., shell interpreters) spawning from the BeyondTrust web application or service processes. | Process creation logs | Execution | Low |
| Identify anomalous outbound network connections originating from the BeyondTrust appliance to unknown external IP addresses. | Network flow logs | Command and Control | Medium |
Control Gaps
- Externally exposed management interfaces without IP allowlisting
- Lack of automated patching for self-hosted instances
Key Behavioral Indicators
- Anomalous child processes from BeyondTrust services
- Unexpected outbound network traffic from the appliance
- Unauthorized access anomalies in application logs
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Upgrade BeyondTrust Remote Support to version 25.3.2+ or apply Patch BT26-02-RS.
- Upgrade BeyondTrust Privileged Remote Access to version 25.1+ or apply Patch BT26-02-PRA.
- Remove externally exposed instances from the Internet until the patch is applied.
- Restrict management interfaces via firewall or IP allowlists.
Infrastructure Hardening
- Isolate web-facing applications.
- Harden operating systems and applications according to best practices.
User Protection
- N/A
Security Awareness
- Review and implement the Cyber Centre's Top 10 IT Security Actions.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059 - Command and Scripting Interpreter