title: BeyondTrust Remote Support Pre-Auth Remote Code Execution (CVE-2026-1731)
id: df00tech-cve-2026-1731
status: experimental
description: "CVE-2026-1731 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). By sending specially crafted requests, an unauthenticated remote attacker can execute operating system commands in the context of the web application site user. BeyondTrust Remote Support is widely deployed in enterprise and SMB environments for helpdesk and IT support operations, creating direct privileged access to end-user machines. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalogue, with active exploitation observed in the wild (GreyNoise confirmed reconnaissance scanning). A working proof-of-concept exploit is publicly available on GitHub. Successful exploitation provides attackers with a foothold in the support infrastructure, enabling lateral movement to all machines with active or historical BeyondTrust support sessions."
references:
  - https://attack.mitre.org/techniques/CVE-2026-1731/
  - https://df00tech.com/detections/CVE-2026-1731
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2026-1731
  - cve.2026-1731
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate vulnerability scanners or pen test tools probing BeyondTrust during authorised assessments
  - BeyondTrust REST API clients with non-standard user agent strings
  - Load balancer health checks against BeyondTrust web interface
level: critical