BeyondTrust Patches Critical Pre-Authentication RCE Vulnerability in Remote Access Products

BeyondTrust disclosed a critical zero-day vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) platforms. 

The flaw is tracked as CVE-2026-1731 (CVSS score 9.9) - an OS command injection vulnerability (CWE-78) that allows unauthenticated attackers to run arbitrary commands. Attackers can send specially crafted network requests to the vulnerable appliance, which fails to properly sanitize input before passing it to the underlying operating system. This allows the execution of commands with the privileges of the site user, bypassing all authentication requirements and security controls.

Successful exploitation grants attackers a foothold in the organization's remote access infrastructure. Because these systems often hold high-level privileges to manage other servers, the breach of a single appliance can put at risk the security of the entire enterprise.

The vulnerability affects: 

• BeyondTrust Remote Support versions 25.3.1 and earlier,
• Privileged Remote Access versions 24.3.4 and prior. 

BeyondTrust patched all SaaS instances as of February 2, 2026, so cloud customers are already protected. Self-hosted administrators must manually apply patch BT26-02-RS for Remote Support or BT26-02-PRA for Privileged Remote Access via the /appliance interface. For long-term resolution, users should update to Remote Support version 25.3.2 or later, and Privileged Remote Access version 25.1.1 or later to ensure the vulnerability is fully remediated.

Organizations running legacy versions, specifically Remote Support older than 21.3 or PRA older than 22.1, must perform a full version upgrade before they can apply the necessary security patches.