BeyondTrust CVE-2026-1731: what it means for privileged access

TL;DR: A critical unauthenticated RCE in BeyondTrust Remote Support and Privileged Remote Access, CVE-2026-1731, lets attackers reach privileged appliances through a crafted WebSocket message, with active exploitation confirmed within 24 hours of public proof-of-concept availability according to Orca Security. Privileged access gateways now have to be treated as internet-facing identity control points, not just remote support tooling.

NHIMG editorial — based on content published by Orca Security: BeyondTrust CVE-2026-1731 and the risks of compromised privileged access appliances

By the numbers:

• A critical vulnerability ( CVE-2026-1731 , CVSS 9.9) was publicly disclosed on February 6, 2026 affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).
• BeyondTrust states that approximately 75% of the Fortune 100 use its products, and researchers at Hacktron AI identified roughly 11,000 internet-facing instances via Shodan and Fofa at the time of disclosure.
• By February 11, GreyNoise’s Global Observation Grid detected scanning surges, with a single IP address responsible for 86% of observed probe traffic.

Questions worth separating out

Q: What breaks when a privileged access appliance is remotely exploitable?

A: The appliance stops being a control point and becomes an attacker foothold.

Q: Why do internet-facing PAM systems create outsized identity risk?

A: Because they sit at the point where credentials, sessions, and administrative workflows converge.

Q: How do security teams know whether a privileged access appliance has been abused?

A: Look for host-level command execution from the appliance service user, unexpected binaries in program data locations, new account creation, and lateral movement tools such as PSExec or Impacket.

Practitioner guidance

• Patch privileged access appliances immediately Apply the fixed BeyondTrust versions or BT26-02 as soon as possible, and treat unpatched internet-facing instances as active compromise candidates rather than routine backlog items.
• Reduce external reachability to PAM control planes Restrict portal access with IP allowlists, VPN, or geoblocking where business operations allow it, and confirm that the /nw WebSocket path is not reachable from broad internet space.
• Hunt for appliance-born lateral movement Check for unexpected child processes, new accounts, credential vault access, and tools such as PSExec or Impacket emerging from BeyondTrust-hosted sessions or service-user context.

What's in the full article

Orca Security's full report covers the operational detail this post intentionally leaves for the source:

• Exact command-injection payload structure and the vulnerable Bash evaluation path
• Patch and version guidance for RS and PRA deployments, including fixed release numbers
• Network and host detection indicators for post-compromise triage
• Observed exploitation timeline and exploit-chain telemetry from external sensors

👉 Read Orca Security's analysis of CVE-2026-1731 and privileged access RCE →

BeyondTrust CVE-2026-1731: what it means for privileged access?

Explore further

View Full Forum →  |  NHI Foundation Course →