BeyondTrust Warns of Critical Pre-Auth RCE Flaw in Remote Support Software

BeyondTrust has issued an urgent security advisory warning of a critical remote code execution vulnerability affecting its Remote Support and Privileged Remote Access products. The flaw, tracked as CVE-2026-1731, allows unauthenticated attackers to execute operating system commands by sending specially crafted client requests.

The vulnerability is particularly severe because it can be exploited before authentication, putting exposed systems at immediate risk.

Details of the Vulnerability

CVE-2026-1731 stems from improper handling of client requests within BeyondTrust’s remote access services. An attacker does not need valid credentials to trigger the flaw, making it attractive for opportunistic scanning and exploitation.

Successful exploitation could allow threat actors to run arbitrary OS-level commands, potentially leading to full system compromise, lateral movement, or deployment of additional malware.

Scope of Exposure

BeyondTrust estimates that roughly 11,000 internet-facing instances may be exposed if left unpatched. These instances are often deployed to provide remote access and privileged session management, making them high-value targets for attackers.

Security teams warn that vulnerabilities in remote access software are frequently weaponized quickly due to their strategic position inside enterprise networks.

Vendor Response

BeyondTrust confirmed that all affected cloud-hosted instances under its control have already been secured. The company emphasized, however, that customers running on-premises deployments must take immediate action.

Organizations using vulnerable versions are strongly urged to upgrade without delay.

Recommended Fixes

To mitigate the vulnerability, BeyondTrust advises customers to upgrade to the following patched releases:

• Remote Support version 25.3.2
• Privileged Remote Access version 25.1.1

These versions address the underlying issue and block the attack vector used for pre-authentication command execution.

Risk to Enterprises

Because BeyondTrust products are often deployed with elevated privileges and deep access to internal systems, exploitation could have severe consequences. Attackers gaining control of these platforms may be able to access sensitive systems, credentials, and data.

Past incidents have shown that remote access vulnerabilities are frequently leveraged by ransomware groups and advanced persistent threat actors.

Defensive Guidance

In addition to patching, organizations are advised to review logs for suspicious activity, restrict external exposure where possible, and ensure that remote access services are protected by network-level controls.

Continuous monitoring of privileged access tools is critical, as these platforms often represent a single point of failure in enterprise security architectures.

An Urgent Call to Patch

The disclosure of CVE-2026-1731 serves as a reminder of the risks posed by internet-exposed administrative tools. With pre-authentication exploitation possible, delay in applying updates significantly increases the likelihood of compromise.

For BeyondTrust customers, immediate patching is the most effective step to reduce risk and prevent potential large-scale exploitation.