Detect BeyondTrust Remote Support Pre-Auth Remote Code Execution in Splunk
CVE-2026-1731 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). By sending specially crafted requests, an unauthenticated remote attacker can execute operating system commands in the context of the web application site user. BeyondTrust Remote Support is widely deployed in enterprise and SMB environments for helpdesk and IT support operations, creating direct privileged access to end-user machines. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalogue, with active exploitation observed in the wild (GreyNoise confirmed reconnaissance scanning). A working proof-of-concept exploit is publicly available on GitHub. Successful exploitation provides attackers with a foothold in the support infrastructure, enabling lateral movement to all machines with active or historical BeyondTrust support sessions.
MITRE ATT&CK
- Tactic
- Initial Access Execution
SPL Detection Query
index=network sourcetype IN ("access_combined", "iis", "pan:traffic", "cisco:asa", "fortigate:traffic", "suricata", "snort")
(
(dest_port IN (80, 443, 8080, 8443))
AND (
(uri_path IN ("/beyondtrust", "/remote", "/login", "/api") OR product="BeyondTrust" OR product="Bomgar")
OR (cs_useragent IN ("python-requests", "curl", "wget", "Go-http-client", "Nuclei", "zgrab"))
OR (method="POST" AND (uri_path="/login" OR uri_path="/api/"))
)
)
| eval is_scanner=if(
match(cs_useragent, "(?i)(nuclei|zgrab|masscan|python-requests|curl|wget|go-http-client)"),
"true", "false"
)
| eval is_post_to_api=if(
method="POST" AND match(uri_path, "(?i)(/api/|/login|/session)"),
"true", "false"
)
| where is_scanner="true" OR is_post_to_api="true"
| stats count AS Requests,
dc(src_ip) AS UniqueSourceIPs,
values(src_ip) AS SourceIPs,
values(cs_useragent) AS UserAgents,
values(uri_path) AS Paths,
values(method) AS Methods,
values(status) AS StatusCodes
BY dest_ip, dest_port, _time span=1h
| where Requests > 5
| eval CVE="CVE-2026-1731"
| eval Severity="CRITICAL"
| eval KEV_Listed="Yes"
| table _time, dest_ip, SourceIPs, UserAgents, Paths, Methods, StatusCodes, Requests, CVE, Severity, KEV_Listed
| sort - RequestsDetects pre-auth RCE exploitation attempts targeting BeyondTrust Remote Support (CVE-2026-1731) by correlating web access logs for scanner tool signatures and anomalous POST requests to BeyondTrust API/login endpoints. The CEV is actively exploited and listed in CISA KEV.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorised vulnerability scans using common scanner tools
- Automated monitoring probes checking BeyondTrust availability
- BeyondTrust API integrations with non-standard user agents
Other platforms for CVE-2026-1731
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send crafted POST request to BeyondTrust login endpoint
Expected signal: Web server access log: POST /login from attacker IP. Process creation: w3wp.exe or web daemon spawning cmd.exe or /bin/sh.
References (6)
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- https://nvd.nist.gov/vuln/detail/CVE-2026-1731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
- https://github.com/win3zz/CVE-2026-1731
- https://attack.mitre.org/techniques/T1190/
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.