Threat Advisories:
Cisco Warns of Actively Exploited Flaws in Catalyst SD-WAN Manager ClipXDaemon Clipboard Attack: Linux Malware Targeting Crypto Payments VMware Patches Aria Operations Flaws as Exploitation Emerges in the Wild Iran-Linked Dust Specter Launches Cyberattack on Iraqi Officials Ruby Jumper: APT37’s Cloud-to-Air-Gap Espionage Framework Dohdoor Malware Campaign Targeting U.S. Education and Healthcare Sectors MIMICRAT Remote Control Delivered Through Trusted Platforms CVE-2026-20127: UAT-8616 Exploiting Cisco Catalyst SD-WAN Zero-Day SANDWORM_MODE: npm Supply Chain Attack Targeting AI Development Tools Mercenary Akula’s Court-Themed Campaign Hits European Finance Operation Olalampo: MuddyWater’s Expanding Campaign Across MENA February 2026 Linux Patch Roundup CRESCENTHARVEST an Espionage Campaign Disguised as Solidarity Fake Homebrew ClickFix Campaign Delivering Cuckoo Stealer on macOS CVE-2026-22769: UNC6201 Exploiting Dell RecoverPoint Zero-Day OysterLoader Threat Model: Silent, Signed, Systematic ClickFix to Control: Matanbuchus Campaign Deploys AstarionRAT in Minutes UNC1069’s Social Engineering Operations Focused on Crypto Sector Google Chrome CSS Use-After-Free Zero-Day Vulnerability (CVE-2026-2441) CVE-2026-1731: Active Exploitation of BeyondTrust WebSocket RCE
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

CVE-2026-1731: Active Exploitation of BeyondTrust WebSocket RCE

Red | Vulnerability Report
Download PDF

Summary

CVE-2026-1731 represents a critical unauthenticated remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) appliances, caused by an OS command injection flaw (CWE-78) in a WebSocket-accessible endpoint. With a CVSSv4 score of 9.9, this vulnerability enables attackers to execute arbitrary system commands without authentication or user interaction by sending specially crafted requests to vulnerable WebSocket endpoints, resulting in full system compromise, unauthorized access, data exfiltration, and lateral movement capabilities within enterprise environments. The vulnerability is actively exploited in the wild following public disclosure and availability of proof-of-concept exploit code.

The vulnerability impacts Remote Support versions 25.3.1 and earlier, and Privileged Remote Access versions 24.3.4 and earlier in self-hosted deployments. CVE-2026-1731 shares similarities with CVE-2024-12356, a previously exploited zero-day affecting related WebSocket functionality in BeyondTrust appliances, suggesting attackers are systematically targeting WebSocket attack surfaces in these products. Because BeyondTrust Remote Support and Privileged Remote Access provide remote administration and privileged access management capabilities for sensitive infrastructure, successful exploitation grants attackers high-value control over critical enterprise systems including servers, workstations, network devices, and security appliances managed through these platforms.

Exploitation Timeline:

  • January 31, 2026: Vulnerability discovered
  • February 2, 2026: BeyondTrust automatically patches all cloud/SaaS instances
  • February 6, 2026: Public disclosure; on-premises patches released
  • February 10, 2026: Proof-of-concept exploit code published on GitHub
  • February 11-12, 2026: Widespread reconnaissance and active exploitation attempts observed
  • February 13, 2026: CISA adds CVE-2026-1731 to Known Exploited Vulnerabilities catalog

Security researchers estimate that thousands of on-premises BeyondTrust instances were internet-facing and potentially exposed at the time of public disclosure. Following PoC availability, widespread scanning and exploitation attempts were observed targeting both standard ports (443) and non-standard ports, indicating attackers anticipated defensive reconfiguration efforts. Threat actors successfully exploited vulnerable endpoints to execute system commands, and in documented cases deployed remote monitoring and management (RMM) tools to establish persistence for ongoing access.

Post-exploitation behaviors observed by security researchers include deployment of unauthorized RMM tools, unexpected PSExec execution across multiple hosts suggesting lateral movement attempts, and Impacket-based SMBv2 session activity indicative of credential harvesting and privilege escalation operations. The low attack complexity, requirement for no authentication or user interaction, and availability of public exploit code combined with confirmed active exploitation make CVE-2026-1731 an immediate priority for organizations running affected BeyondTrust deployments.

Vulnerability Details (Condensed)

Root Cause: OS command injection (CWE-78) in WebSocket endpoint allows arbitrary system command execution without authentication

CVSSv4 Score: 9.9 (Critical) reflecting full system compromise risk

Affected Versions:

  • Remote Support: v25.3.1 and earlier (patch: v25.3.2+)
  • Privileged Remote Access: v24.3.4 and earlier (patch: v25.1.1+)
  • SaaS instances: Auto-patched February 2, 2026

Similar Vulnerability: CVE-2024-12356 (previously exploited zero-day in BeyondTrust WebSocket functionality)

Active Exploitation Confirmed: Widespread scanning post-PoC release; RMM tool deployment for persistence; PSExec and Impacket-based lateral movement observed

High-Value Target: BeyondTrust products manage privileged access to sensitive infrastructure, making compromise extremely valuable to attackers

Recommendations

  1. Emergency Patching – Upgrade immediately to Remote Support 25.3.2+ or Privileged Remote Access 25.1.1+; verify cloud/SaaS instances patched
  2. Verify Automatic Updates – Confirm self-hosted deployments subscribed to automatic updates; validate successful patch installation
  3. Restrict Network Exposure – Place instances behind VPN/firewall/zero-trust; limit to authorized administrators only (port obscurity insufficient)
  4. Conduct Compromise Assessment – Hunt for anomalous WebSocket activity, unexpected command execution, suspicious child processes, new accounts, deployed RMM tools
  5. Enhance Detection – Monitor for unauthorized RMM tools, PSExec execution across hosts, Impacket SMBv2 activity; tune EDR solutions

MITRE ATT&CK TTPs

Initial Access: T1190 | Execution: T1059 | Reconnaissance: T1595.002 | Discovery: T1018 | Lateral Movement: T1021 | Command & Control: T1219 | Resource Development: T1588.006 | Privilege Escalation: T1068

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox