BeyondTrust critical flaw Featured IT News RCE Syndicated

Cybersecurity Threat Advisory: Critical RCE Flaw in BeyondTrust

BeyondTrust critical flaw Featured IT News RCE Syndicated

Cybersecurity Threat Advisory: Critical RCE Flaw in BeyondTrust

Cybersecurity Threat Advisory

Cybersecurity Threat AdvisoryA critical pre-authentication remote code execution (RCE) vulnerability has been identified in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). If left unpatched, it may result in full system compromise, data loss, or service disruption. Review this Cybersecurity Threat Advisory now to reduce your risk.

What is the threat?

CVE-2026-1731 is a pre-authentication RCE vulnerability affecting BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products. By sending specially crafted requests to exposed endpoints, an attacker can run arbitrary OS-level commands without needing to log in.

BeyondTrust Remote Support is widely used by IT teams for remote diagnostics and troubleshooting, while Privileged Remote Access acts as a secure gateway for accessing sensitive internal systems. If exploited, this flaw could allow an attacker to seize full control of affected machines, enabling data theft, unauthorized access, or operational disruption.

The vulnerability impacts RS versions 25.3.1 and earlier and PRA versions 24.3.4 and earlier. Patches are available in RS 25.3.2+ and PRA 25.1.1+. BeyondTrust has already secured all SaaS instances, but on‑premises environments still require immediate manual patching.

Why is it noteworthy?

This vulnerability is high‑risk due to BeyondTrust’s extensive enterprise customer base—including many Fortune 100 organizations—and the privileged nature of RS and PRA deployments. Attackers are highly motivated to target tools that enable remote access and elevated permissions.

Compounding the concern, BeyondTrust has faced multiple high-profile security incidents in recent years. Previous zero-day flaws such as CVE‑2024‑12356 and CVE‑2024‑12686 were leveraged to steal an infrastructure API key and compromise 17 Remote Support SaaS instances, including systems associated with the U.S. Treasury Department. The recurring pattern of targeted exploitation highlights the importance of rapid remediation.

What is the exposure or risk?

This vulnerability affects:

  • RS on-premises deployments up to version 25.3.1
  • PRA on-premises deployments up to version 24.3.4

These systems remain at risk until updated to RS 25.3.2+ or PRA 25.1.1+. Although BeyondTrust secured all SaaS environments by February 2, 2026, on‑premises systems still require manual updates.

Potential impacts include:

  • Full system compromise
  • Unauthorized data access or exfiltration
  • Service outages
  • Increased risk for internet-facing deployments

Notably, approximately 8,500 on‑premises RS and PRA instances were found to be exposed to the internet prior to patch availability. Combined with cloud deployments, an estimated 11,000 instances are externally visible creating a substantial attack surface, especially given the ease of exploitation.

What are the recommendations?

Barracuda recommends taking the following actions to reduce risk:

  • Patch immediately:
    Upgrade RS to 25.3.2+ and PRA to 25.1.1+ on all on‑premises systems.
  • Reduce exposure:
    If patching is delayed, restrict or remove internet access to RS/PRA gateways and enforce strict network access controls.
  • Isolate critical systems:
    Implement network segmentation to limit lateral movement opportunities.
  • Strengthen vulnerability management:
    Maintain regular discovery and assessment of all remote-access tools.
  • Keep third-party platforms updated:
    Establish consistent patching schedules and enable automatic updates wherever possible.
  • Increase monitoring:
    Log and alert on unusual or unauthenticated requests targeting RS/PRA endpoints to detect exploitation attempts early.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

This post originally appeared on Smarter MSP.

Cybersecurity Threat Advisory

Cybersecurity Threat AdvisoryA critical pre-authentication remote code execution (RCE) vulnerability has been identified in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). If left unpatched, it may result in full system compromise, data loss, or service disruption. Review this Cybersecurity Threat Advisory now to reduce your risk.

What is the threat?

CVE-2026-1731 is a pre-authentication RCE vulnerability affecting BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products. By sending specially crafted requests to exposed endpoints, an attacker can run arbitrary OS-level commands without needing to log in.

BeyondTrust Remote Support is widely used by IT teams for remote diagnostics and troubleshooting, while Privileged Remote Access acts as a secure gateway for accessing sensitive internal systems. If exploited, this flaw could allow an attacker to seize full control of affected machines, enabling data theft, unauthorized access, or operational disruption.

The vulnerability impacts RS versions 25.3.1 and earlier and PRA versions 24.3.4 and earlier. Patches are available in RS 25.3.2+ and PRA 25.1.1+. BeyondTrust has already secured all SaaS instances, but on‑premises environments still require immediate manual patching.

Why is it noteworthy?

This vulnerability is high‑risk due to BeyondTrust’s extensive enterprise customer base—including many Fortune 100 organizations—and the privileged nature of RS and PRA deployments. Attackers are highly motivated to target tools that enable remote access and elevated permissions.

Compounding the concern, BeyondTrust has faced multiple high-profile security incidents in recent years. Previous zero-day flaws such as CVE‑2024‑12356 and CVE‑2024‑12686 were leveraged to steal an infrastructure API key and compromise 17 Remote Support SaaS instances, including systems associated with the U.S. Treasury Department. The recurring pattern of targeted exploitation highlights the importance of rapid remediation.

What is the exposure or risk?

This vulnerability affects:

  • RS on-premises deployments up to version 25.3.1
  • PRA on-premises deployments up to version 24.3.4

These systems remain at risk until updated to RS 25.3.2+ or PRA 25.1.1+. Although BeyondTrust secured all SaaS environments by February 2, 2026, on‑premises systems still require manual updates.

Potential impacts include:

  • Full system compromise
  • Unauthorized data access or exfiltration
  • Service outages
  • Increased risk for internet-facing deployments

Notably, approximately 8,500 on‑premises RS and PRA instances were found to be exposed to the internet prior to patch availability. Combined with cloud deployments, an estimated 11,000 instances are externally visible creating a substantial attack surface, especially given the ease of exploitation.

What are the recommendations?

Barracuda recommends taking the following actions to reduce risk:

  • Patch immediately:
    Upgrade RS to 25.3.2+ and PRA to 25.1.1+ on all on‑premises systems.
  • Reduce exposure:
    If patching is delayed, restrict or remove internet access to RS/PRA gateways and enforce strict network access controls.
  • Isolate critical systems:
    Implement network segmentation to limit lateral movement opportunities.
  • Strengthen vulnerability management:
    Maintain regular discovery and assessment of all remote-access tools.
  • Keep third-party platforms updated:
    Establish consistent patching schedules and enable automatic updates wherever possible.
  • Increase monitoring:
    Log and alert on unusual or unauthenticated requests targeting RS/PRA endpoints to detect exploitation attempts early.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

This post originally appeared on Smarter MSP.

Leave a Reply

Your email address will not be published. Required fields are marked *