Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability
Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability
https://thehackernews.com/2026/02/researchers-observe-in-wild.html
Publish Date: 2026-02-13 03:34:00
Source Domain: thehackernews.com
Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr.
“Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors,” Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. “Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.”
The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests.
BeyondTrust noted last week that successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption.
It has been patched in the following versions. All PRA versions 25.1 and greater do not require patching for this vulnerability.
Please update the version numbers –
- Remote Support – Patch BT26-02-RS (v21.3 – 25.3.1)
- Privileged Remote Access – Patch BT26-02-PRA (v22.1 – 24.X)
GreyNoise said Defused Cyber has also confirmed in-the-wild exploitation attempts of CVE-2026-1731, with the former noting that it observed reconnaissance efforts targeting the vulnerability less than 24 hours after the availability of a proof-of-concept (PoC) exploit.
“A single IP accounts for 86% of all observed reconnaissance sessions so far. It’s associated with a commercial VPN service hosted by a provider in Frankfurt,” the company said. “This isn’t a new actor; it’s an established scanning operation that rapidly added CVE-2026-1731 checks to its toolkit.”
It’s worth noting that CVE-2024-43468 was patched by Microsoft in October 2024 (added link)
The use of CVE-2026-1731 demonstrates how quickly threat actors can weaponize new vulnerabilities, significantly…
