UrsaClimb Logo

CISA: BeyondTrust RCE flaw now exploited in ransomware attacks

Bleeping Computer
by Bill Toulas
February 20, 2026
AI-Generated Deep Dive Summary
Hackers are actively exploiting the CVE-2026-1731 vulnerability in BeyondTrust’s Remote Support product, according to a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This remote code execution (RCE) flaw affects versions 25.3.1 or earlier of Remote Support and 24.3.4 or earlier of Privileged Remote Access. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on February 13, giving federal agencies just three days to apply patches or disable the product. The issue was first disclosed by BeyondTrust on February 6 as a pre-authentication RCE vulnerability caused by an OS command injection weakness, exploitable through specially crafted client requests. Proof-of-concept (PoC) exploits for CVE-2026-1731 were released shortly after its disclosure, and in-the-wild exploitation began almost immediately. BeyondTrust later confirmed that the vulnerability had been exploited as early as January 31, making it a zero-day vulnerability for at least a week before a patch was available. Researcher Harsh Jaiswal and the Hacktron AI team reported detecting this activity on a single Remote Support appliance. BeyondTrust has provided updates to address the issue. For cloud-based (SaaS) customers, patches were applied automatically on February 2, requiring no manual intervention. However, self-hosted instance users must enable automatic updates or manually apply patches through the '/appliance' interface and verify their installation. Customers of Remote Support should update to version 25.3.2, while Privileged Remote Access users are advised to switch to version 25.1.1 or newer. Those using older versions (RS v21.3 and PRA v22.1) are strongly recommended to upgrade before applying patches. This vulnerability highlights the critical need for organizations to prioritize timely patching and monitoring of their IT infrastructure. The rapid release of Po
Verticals
securitytech
Originally published on Bleeping Computer on 2/20/2026