BeyondTrust CVE-2026-1731: Critical Pre-Auth RCE in Privileged Access Tools Hits CISA KEV

BeyondTrust disclosed CVE-2026-1731 on February 6, 2026, a critical vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) products with a CVSSv4 score of 9.9 — near the maximum possible severity rating. The flaw allows an unauthenticated remote attacker to execute arbitrary code on the target system via a crafted WebSocket message.

Trivially Simple Exploitation

Rapid7's analysis of the vulnerability describes the exploitation mechanism as "trivially simple." An attacker sends a WebSocket message to the BeyondTrust appliance containing a crafted version string. The version string is processed without adequate validation, leading to code execution in the context of the BeyondTrust service. No authentication, no credentials, no multi-step chain — a single network request to an exposed BeyondTrust appliance is sufficient for full compromise.

The simplicity of the exploit is a significant factor in its risk assessment. Complex exploitation chains provide a natural barrier to mass exploitation because they require specialized knowledge and tooling. A trivially simple pre-authentication RCE removes that barrier, enabling both sophisticated threat actors and less-skilled attackers to compromise vulnerable systems.

Active Exploitation Timeline

BeyondTrust released the fix in version 25.3.2. For hosted (cloud) instances, the patch was auto-deployed on February 2, 2026 — four days before public disclosure. Self-hosted instances required manual update. The first observed exploitation attempt was detected on February 10, 2026. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog on February 13, triggering mandatory remediation timelines for US federal agencies.

Palo Alto Networks' Unit 42 threat intelligence team identified VShell and SparkRAT as malware deployed in post-exploitation activity following successful CVE-2026-1731 exploitation. VShell is a cross-platform remote access tool, and SparkRAT is an open-source RAT written in Go — both consistent with threat actors establishing persistent access for future operations rather than one-time data theft.

Why BeyondTrust Matters

BeyondTrust's Remote Support and Privileged Remote Access products are deployed by large enterprises and government agencies specifically to manage privileged access to sensitive systems. These appliances sit at a critical juncture in network architecture: they provide authorized remote access to servers, workstations, and infrastructure components that would otherwise be isolated. Compromising a BeyondTrust appliance gives an attacker the same vantage point as an authorized administrator — broad network visibility and legitimate-looking access to downstream systems.

Organizations running self-hosted BeyondTrust RS or PRA versions 25.3.1 or earlier should treat the update to 25.3.2 as a top-priority emergency patch. Given the trivial exploitation requirements and confirmed in-the-wild activity, any delay in patching exposed instances carries substantial risk of compromise.