Security researchers have determined a serious security vulnerability impacting BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products. This privilege escalation vulnerability, tracked as CVE-2026-1731, was assigned a CVSS score of 9.9, meaning it is critical and high impact. This abysmal score highlights just how dire the situation is. Security researchers are sounding the alarm over a major vulnerability. It would enable unauthenticated, remote attackers to run arbitrary code by sending specifically crafted requests, potentially putting thousands of organizations at grave risk.
Exploitation of CVE-2026-1731 has already commenced, with threat actors already seeking to target users of BeyondTrust products. This vulnerability has to do with incorrectly limiting the actions that can be performed on a memory buffer. The damage could be staggering, as these systems hold the potential for billions of dollars in damage. BeyondTrust Remote Support versions 21.3 to 25.3.1 are vulnerable. Furthermore, Privileged Remote Access versions 22.1 to 24.X are vulnerable.
Immediate Threats and Exploitation
Researchers from watchTowr today reported that attackers are using the CVE-2026-1731 flaw to break into BeyondTrust deployments. This is the Voldemort issue that threat actors are currently exploiting through get_portal_info. They pull out the x-ns-company value prior to creating a WebSocket channel. This process provides attackers with useful information that can be used to carry out more sophisticated attacks.
These attacks highlight that threat actors are exploiting extended dwell times. Simultaneously, they’re waging campaigns over multiple years designed to win long-term access to their targets. Alarmingly, it seems that one IP address has been 86% of all reconnaissance sessions we’ve observed. That’s a sign of a very strategic, purposeful and deliberate approach to doing this work.
The exploitation has moved at a breakneck speed. CVE-2026-1731 was exploited in the wild within 24 hours of public proof-of-concept (PoC) exploits being released. This rapid reversal of course highlights the need for entities that use BeyondTrust products to act without delay.
Mitigation and Patching
In order to remedy the vulnerabilities introduced by CVE-2026-1731, BeyondTrust has provided patches for all affected products. Patch BT26-02-RS is provided for Remote Support version 21.3 through 25.3.1, inclusive. While Patch BT26-02-PRA only applies to Privileged Remote Access versions 22.1 through 24.X. Organizations that currently utilize PRA versions 25.1 and above are not mandated to roll out further patches for this particular vulnerability.
Cybersecurity professionals recommend that all users of these patched BeyondTrust products take the time to deploy these patches as soon as possible. This action will minimize the risk associated with the vulnerability. Understanding how to respond and what has changed can help to keep systems from becoming exposed and therefore vulnerable to continued attack.
Insights From Security Experts
As security experts have just begun to untangle what this vulnerability means and trends in exploitation so far, we recap it all here. The DomainTools Investigations (DTI) team commented on the calculated approach of attackers:
“From their foothold inside the update infrastructure, the attackers did not indiscriminately push malicious code to the global Notepad++ user base.” – DomainTools Investigations (DTI)
Yet this strategic targeting exposes a disturbing trend. Threat actors have figured out how to leverage these legitimate mechanisms to gain unauthorized access, transforming routine security updates into entry points for high-value targets.
“Instead, they exercised restraint, selectively diverting update traffic for a narrow set of targets, organizations, and individuals whose positions, access, or technical roles made them strategically valuable.” – DomainTools Investigations (DTI)
Palo Alto Networks’ Unit 42 provided insight into this method of attack:
Yet, the attack methods we face today are more advanced and sophisticated than ever before. Organizations that rely on these update channels need to be constantly on watch.
“By abusing a legitimate update mechanism relied upon specifically by developers and administrators, they transformed routine maintenance into a covert entry point for high-value access.” – Palo Alto Networks Unit 42
As Arctic Wolf noted, attackers increasingly rely on tools such as AdsiSearcher to generate inventories of Active Directory computers. This intelligence goes a long way to improve their scouting and fact-finding mission.
In addition, Arctic Wolf noted that tools such as AdsiSearcher have been utilized to obtain Active Directory computer inventories, further aiding attackers in their reconnaissance efforts.