BeyondTrust Remote Support Pre-Auth Remote Code Execution
CVE-2026-1731 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). By sending specially crafted requests, an unauthenticated remote attacker can execute operating system commands in the context of the web application site user. BeyondTrust Remote Support is widely deployed in enterprise and SMB environments for helpdesk and IT support operations, creating direct privileged access to end-user machines. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalogue, with active exploitation observed in the wild (GreyNoise confirmed reconnaissance scanning). A working proof-of-concept exploit is publicly available on GitHub. Successful exploitation provides attackers with a foothold in the support infrastructure, enabling lateral movement to all machines with active or historical BeyondTrust support sessions.
// CVE-2026-1731 — BeyondTrust Remote Support Pre-Auth RCE
// Detect exploitation attempts against BeyondTrust RS/PRA web interface
// via web server access logs, IDS alerts, and endpoint telemetry
let BeyondTrustPorts = dynamic([80, 443, 8080, 8443]);
let RCEIndicatorPaths = dynamic([
"/beyondtrust", "/support", "/remote", "/api/",
"/login", "/session", "/websocket"
]);
let SuspiciousUserAgents = dynamic([
"python-requests", "curl", "wget", "Go-http-client",
"Nuclei", "zgrab", "masscan"
]);
union CommonSecurityLog, W3CIISLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (BeyondTrustPorts)
and (DeviceVendor has_any ("BeyondTrust", "Bomgar")
or RequestURL has_any ("/beyondtrust", "/remote", "/login")
or csUriStem has_any ("/beyondtrust", "/remote", "/login"))
| extend UserAgent = coalesce(RequestClientApplication, csUserAgent)
| where UserAgent has_any (SuspiciousUserAgents)
or Message has_any ("command injection", "os.system", "exec", "shell", "/bin/sh", "cmd.exe")
or (RequestMethod in ("POST", "PUT") and RequestURL has_any (RCEIndicatorPaths))
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort,
RequestURL, RequestMethod, UserAgent, Message, AdditionalExtensions
| extend ThreatIndicator = "CVE-2026-1731-BeyondTrust-PreAuthRCE"
| sort by TimeGenerated descData Sources
Required Tables
False Positives
- Legitimate vulnerability scanners or pen test tools probing BeyondTrust during authorised assessments
- BeyondTrust REST API clients with non-standard user agent strings
- Load balancer health checks against BeyondTrust web interface
References (6)
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- https://nvd.nist.gov/vuln/detail/CVE-2026-1731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
- https://github.com/win3zz/CVE-2026-1731
- https://attack.mitre.org/techniques/T1190/
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.