Attackers have started actively exploiting a critical pre-authentication vulnerability in software from IAM vendor BeyondTrust, CVE-2026-1731.
Assume that self-hosted BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) instances are now compromised if you haven't patched since the February 6 disclosure, watchTowr warned on Thursday.
An estimated 11,000 instances are exposed to trivial exploitation, said researchers at Hacktron, who reported the bug – spotted by founder Harsh Jaiswal who said that AI “gave me PoC in hand. (Vibe hacking?)”
"Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel," said Ryan Dewhurst on Thursday.
No user interaction required
"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption," said BeyondTrust in an advisory last week.
It said a patch was applied for SaaS customers on February 2.
Self-hosted customers not subscribed to auto updates had to manually apply the patch – and customers on a Remote Support version older than 21.3 or on Privileged Remote Access version older than 22.1 had to upgrade to patch.
Affected versions were from Remote Support 25.3.1 and prior, and Privileged Remote Access 24.3.4 and prior.
"Given that BeyondTrust Remote Support and Privileged Remote Access are widely deployed in enterprise environments for remote access and privileged session management, the potential blast radius of this vulnerability is significant," said Hacktron.
Its analysis found around 11,000 exposed instances, with some 8,500 of those on-prem across healthcare, financial services, government, and hospitality. BeyondTrust names the NHS as among its customers.
Analysis by Rapid7 showed that the vulnerability “is in the exact same endpoint as a previous high profile vulnerability CVE-2024-12356."
That latter BeyondTrust vulnerability was one of 2024's most-exploited bugs.
The link has been copied!
