ACCORDING to watchTowr, threat actors are already exploiting a recently disclosed critical flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) with CVE-2026-1731 (CVSS 9.9), enabling unauthenticated remote code execution. They observed in-the-wild activity where attackers abuse get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.
BeyondTrust said exploitation could allow an unauthenticated attacker to run OS commands in the context of the site user, risking data exfiltration and service disruption, and it has been patched in Remote Support with BT26-02-RS, 25.3.2 and later, and in Privileged Remote Access with BT26-02-PRA, 25.1.1 and later. In related moves, the U.S.
Cybersecurity and Infrastructure Security Agency added four vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-20700, CVE-2025-15556 and CVE-2025-40536, with CVE-2024-43468 also noted; the latter had been patched by Microsoft.
DomainTools Investigations described the Notepad++ campaign linked to Lotus Blossom as a precise, quiet intrusion using trojanised installers and long dwell times, noting a five-month window of Notepad++ update compromise between June and October 2025 and that attackers selectively diverted updates to high-value targets. Agencies have set deadlines to address CVE-2025-40536 by 15 February 2026 and the remaining three by 5 March 2026.