CVE- 2026-1731 is being actively exploited to target BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) deployments, enabling unauthenticated attackers to send crafted requests and run operating system commands remotely, potentially full remote code execution, according to BeyondTrust’s advisory.
Attackers are deploying VShell and other tools to achieve persistence, lateral movement, and remote control over compromised systems, with a wide campaign spanning finance, legal, tech, education, retail and healthcare sectors across the US, France, Germany, Australia and Canada.
Patch updates were released by BeyondTrust on 6 February 2026 after Hacktron researchers warned that thousands of instances were exposed online, roughly 11,000 BeyondTrust Remote Support instances were publicly reachable, around 8,500 on‑premises, leaving many deployments vulnerable if unpatched.
Unit 42 of Palo Alto Networks observed active exploitation for reconnaissance, web shell deployment, C2 activity, backdoor installation and data theft, following a public PoC on 10 February, and noted the use of multiple web shells and C2 gates such as aws[.]php, with some tools linked to China Chopper. The Cybersecurity and Infrastructure Security Agency has warned that CVE-2026-1731 has been exploited in ransomware campaigns, prompting updates to its KEV catalog.
According to BeyondTrust, the flaw allows an unauthenticated remote attacker to execute commands in the context of the site user, underscoring the urgency of applying the patches.