BEYONDTRUST has released security updates to fix a critical pre-authentication remote code execution flaw, tracked as CVE-2026-1731 (CVSS 9.9) in its Remote Support and Privileged Remote Access products. According to BeyondTrust advisory, the vulnerability could let an unauthenticated attacker send specially crafted requests and run operating system commands remotely without logging in.
The issue, disclosed on 6 February 2026, could lead to full remote code execution if exploited, making the patches essential to prevent abuse. The fixed versions are Remote Support 25.3.2 and later and Privileged Remote Access 25.1.1 and later, with SaaS customers automatically protected as the fix was deployed on 2 February 2026.
Hackers reportedly had access to roughly 11,000 BeyondTrust Remote Support instances across cloud and on-prem environments, about 8,500 of which were on-prem and potentially vulnerable if not patched. Self-hosted PRA customers should upgrade to version 25.1.1 or later to mitigate the flaw.