Researchers Document Active Exploitation of BeyondTrust CVSS 9.9 Vulnerability
Recent reports indicate that malicious actors are actively exploiting a critical vulnerability in BeyondTrust products. This flaw, identified as CVE-2026-1731, carries a CVSS score of 9.9. It affects the BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) systems. Attackers have been observed leveraging the vulnerability to execute remote commands without authentication.
Details of the BeyondTrust Vulnerability
Ryan Dewhurst, head of threat intelligence at watchTowr, has highlighted the urgency of this situation. According to Dewhurst, threat actors are abusing the `get_portal_info` function to extract sensitive information before establishing a WebSocket connection.
Potential Risks
The exploitation of CVE-2026-1731 may lead to significant consequences:
- Unauthorized access by remote attackers.
- Data exfiltration, risking sensitive information.
- Service disruptions impacting business operations.
Patch Information
BeyondTrust has provided updates to mitigate this risk:
- Remote Support: Patch BT26-02-RS applicable for versions v21.3 to 25.3.1.
- Privileged Remote Access: Patch BT26-02-PRA applicable for versions v22.1 to 24.X.
All PRA versions 25.1 and above do not require additional patches.
Reconnaissance and Exploitation Attempts
Cybersecurity firm GreyNoise reported that Defused Cyber observed reconnaissance activities targeting this vulnerability shortly after a proof-of-concept (PoC) was released. Notably, a single IP address accounted for 86% of all reconnaissance attempts, showing that attackers are leveraging established scanning operations to identify vulnerable targets.
Increased Vigilance by CISA
Following these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This list includes:
- CVE-2026-20700 – CVSS score: 7.8; affects various Apple platforms.
- CVE-2025-15556 – CVSS score: 7.7; concerns Notepad++.
- CVE-2025-40536 – CVSS score: 8.1; impacts SolarWinds Web Help Desk.
- CVE-2024-43468 – CVSS score: 9.8; affects Microsoft Configuration Manager.
Conclusion
The swift exploitation of CVE-2026-1731 serves as a strong reminder of the importance of timely patches. Organizations using BeyondTrust products should prioritize upgrading to secure versions. As threat actors rapidly adapt to emerging vulnerabilities, maintaining updated defenses has never been more critical.
