Latest BeyondTrust vulnerability: CVE-2026-1731 #
BeyondTrust disclosed a pre-authentication remote code execution (RCE) vulnerability affecting certain versions of both Remote Support (RS) and Privileged Remote Access (PRA). This flaw is triggered via specially crafted client requests sent to the appliance. Successful exploitation could allow a remote, unauthenticated adversary to execute arbitrary operating system commands in the context of the site user, potentially leading to full system compromise. The vulnerability has been designated CVE-2026-1731 and has been rated critical with a CVSS score of 9.9.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Remote Support (RS) versions 25.3.1 and prior
- Privileged Remote Access (PRA) versions 24.3.4 and prior
What are BeyondTrust Remote Support, and Privileged Remote Access?
#
BeyondTrust Remote Support (RS) is an enterprise platform designed for help desks to securely access and troubleshoot end-user devices or mobile platforms across any network without a VPN.
BeyondTrust Privileged Remote Access (PRA) is a zero-trust security solution providing vendors and internal admins with granular, audited access to critical infrastructure without granting full network visibility.
What is the impact? #
Successful exploitation of the vulnerability would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Remote Support (RS) versions 21.3 and older upgrade to a newer version to apply patch BT26-02-RS
- Remote Support (RS) versions 25.3.1 and prior upgrade to version 25.3.2 and later
- Privileged Remote Access (PRA) versions 22.1 and older upgrade to a newer version to apply patch BT26-02-PRA
- Privileged Remote Access (PRA) versions 24.3.4 and prior upgrade to version 25.1.1 and later
How to find potentially vulnerable systems with runZero #
From the Services Inventory, use the following query to locate potentially impacted assets:
_asset.protocol:=http AND protocol:=http AND
(product:="BeyondTrust Remote Support" OR
product:="Beyond Trust Remote Support" OR
product:="BeyondTrust BeyondTrust Remote Support" OR
product:="BeyondTrust Privileged Remote Access")
AND _service.product:beyondtrustJanuary 2025: CVE-2024-12356 #
BeyondTrust disclosed that affects their Privileged Remote Access (PRA) and Remote Support (RS) appliances. This has also been added to the CISA KEV as it has been exploited in the wild.
- CVE-2024-12356 is rated highly-critical with a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an attacker execute arbitrary commands on the appliance.
What is the impact? #
The issue impacts PRA and RS versions 24.3.1 and earlier.
Are updates or workarounds available? #
BeyondTrust has released a patch for all supported iterations of PRA and RS versions 22.1.x and higher and has applied the patch to cloud customers earlier this week.
How do I find potentially vulnerable systems with runZero? #
From the Services Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:BeyondTrust or http.body:BeyondTrust
From the Assets Inventory, use the following query to locate systems running potentially vulnerable software:
os:BeyondTrust OR hw:BeyondTrust OR os:Bomgar OR hw:Bomgar
