Security researchers have confirmed active exploitation of a critical vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw, tracked as CVE-2026-1731, carries a CVSS score of 9.9 and allows unauthenticated remote code execution.

According to watchTowr, attackers are abusing the get_portal_info function to extract sensitive values before establishing a WebSocket connection. Successful exploitation can lead to unauthorized access, data theft, and service disruption.

Security fixes are already available:

• Remote Support — Patch BT26-02-RS (v21.3–25.3.1)
• Privileged Remote Access — Patch BT26-02-PRA (v22.1–24.X)
• PRA version 25.1+ is not affected

The vulnerability has also been added to the KEV catalog by CISA, highlighting real-world risk.

Bottom line:
Organizations should patch immediately, restrict external access to BeyondTrust portals, and monitor for suspicious activity to reduce the risk of compromise.

source: https://thehackernews.com/2026/02/researchers-observe-in-wild.html