BeyondTrust Remote Support Under Active Attack After PoC Drops

If your organization uses BeyondTrust Remote Support or Privileged Remote Access and you haven't patched in the last two weeks, you should probably assume you've been compromised. That's not hyperbole. Attackers are now actively exploiting CVE-2026-1731, a pre-authentication remote code execution vulnerability with a CVSS score of 9.9, and a proof-of-concept exploit has been publicly available on GitHub since yesterday.

Ryan Dewhurst, head of threat intelligence at watchTowr, reported overnight that his team observed the first in-the-wild exploitation attempts across their global sensor network. The attackers are targeting exposed BeyondTrust portals, abusing the get_portal_info endpoint to extract the X-Ns-Company identifier, then establishing a WebSocket channel to execute commands on vulnerable systems. No credentials required. No user interaction needed. Just send a specially crafted request and you're running commands in the context of the site user.

The vulnerability affects BeyondTrust Remote Support versions 25.3.1 and earlier, along with Privileged Remote Access versions 24.3.4 and earlier. BeyondTrust disclosed the flaw on February 6th after Hacktron AI discovered and reported it through responsible disclosure on January 31st. To their credit, BeyondTrust moved fast. They confirmed the vulnerability the same day it was reported, developed a patch, and pushed it to all cloud and SaaS customers by February 2nd. The problem is the roughly 8,500 on-premise deployments that need to patch manually.

Hacktron's exposure analysis paints a concerning picture. Approximately 11,000 BeyondTrust Remote Support instances are currently exposed to the internet, split between cloud deployments and on-premise installations. The industries relying heavily on these tools read like a list of high-value targets: large enterprises, healthcare organizations, financial services firms, government agencies, and hospitality companies. These are environments where remote access and privileged session management are critical to daily operations, and where a compromise could cascade into something much worse.

The technical details of the attack are straightforward enough that exploitation was inevitable once the advisory dropped. An attacker sends a request to the get_portal_info endpoint, which returns the X-Ns-Company value for that deployment. Armed with that identifier, the attacker establishes a WebSocket connection to the target device and gains the ability to execute operating system commands. The advisory explicitly warns that successful exploitation requires no authentication or user interaction and may lead to system compromise, unauthorized access, data exfiltration, and service disruption.

What makes this particularly dangerous is what BeyondTrust Remote Support and Privileged Remote Access actually do. These aren't obscure utilities sitting in a corner of the network. They're the tools organizations use to provide remote technical support and manage privileged access sessions. Compromising one of these appliances potentially gives an attacker visibility into every remote session it handles, along with a foothold in an environment that's already designed to provide elevated access to systems.

Self-hosted customers need to apply patch BT26-02-RS for Remote Support or upgrade to version 25.3.2 or later. For Privileged Remote Access, the fix is patch BT26-02-PRA or an upgrade to version 25.1.1 or later. If your instance isn't subscribed to automatic updates, this won't happen on its own. You need to do it manually, and you needed to do it two weeks ago.

The disclosure timeline on this one was actually handled well. Hacktron reported the issue, BeyondTrust acknowledged it immediately, patches shipped within days, and the coordinated disclosure gave organizations a window to remediate. That window is now closed. The proof-of-concept is public, exploitation is active, and every unpatched system is a target. If you're reading this and managing BeyondTrust infrastructure, stop reading and go patch. Everything else can wait.