THREAT actors began targeting BeyondTrust Remote Support and Privileged Remote Access within 24 hours of the PoC release for CVE-2026-1731, a critical unauthenticated remote code execution flaw. BeyondTrust patched CVE-2026-1731 on 6 February, the same day Hacktron AI warned that roughly 11,000 instances had been exposed to the internet, including about 8,500 on-prem deployments that may have been vulnerable.
A PoC exploit for CVE-2026-1731 was made public on 10 February, and GreyNoise started seeing attack attempts within 24 hours. The security company has observed attacks originating from multiple IP addresses, with one IP accounting for 86% of reconnaissance activity and linked to a commercial VPN service hosted by a provider in Frankfurt. GreyNoise explained that this is not a new actor but an established scanning operation that rapidly added CVE-2026-1731 checks to its toolkit.