ATTACKERS began exploiting BeyondTrust CVE-2026-1731 within hours of a PoC being released, exposing an unauthenticated remote code execution flaw in BeyondTrust Remote Support and older Privileged Remote Access products. BeyondTrust released security updates on 6 February 2026 after Hacktron researchers warned that thousands of instances were exposed online, with roughly 11,000 BeyondTrust Remote Support instances cited as publicly accessible across cloud and on‑prem environments.
The flaw could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, potentially leading to full system compromise, data theft, and service disruption, according to BeyondTrust’s advisory. After the PoC, GreyNoise reported reconnaissance activity within 24 hours, with one IP responsible for 86% of scans, using a commercial VPN and Linux tooling to probe non‑standard ports.
The same IPs were observed targeting other products such as SonicWall, MOVEit, Log4j, Sophos, SSH, and IoT devices, indicating multi‑exploit behaviour, as noted in the GreyNoise report. Hackers are also linked to a rapid wave of exploitation following the PoC, underscoring the urgency of applying patches and monitoring for signs of activity.