BeyondTrust CVE-2026-1731: Pre-auth RCE escalates from rapid scanning to ransomware-linked intrusions

CISA has now flagged CVE-2026-1731—a critical, pre-authentication remote code execution flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) as being used in ransomware campaigns, signalling that exploitation has moved beyond opportunistic scanning into hands-on-keyboard intrusion activity. If you run self-hosted RS/PRA and haven’t patched, treat this as a priority 0 incident-response-and-patching event. (BleepingComputer)

Impact:

According to BeyondTrust’s BT26-02 advisory, the vulnerability is an OS command injection condition that can be triggered via specially crafted client requests, enabling code execution without authentication in the context of the “site user”. NVD records the issue as critical and describes the same pre-auth RCE outcome. (BeyondTrust)

Impacted versions (per multiple responders):

• Remote Support: 25.3.1 and earlier → upgrade to 25.3.2+
• Privileged Remote Access: 24.3.4 and earlier → upgrade to 25.1.1+ (Rapid7)

SaaS vs self-hosted reality check:

• BeyondTrust states SaaS instances were patched automatically on 2 Feb 2026.
• Self-hosted customers must verify updates were applied (or patch manually). (BeyondTrust)

Rapid weaponisation signal: reconnaissance within 24 hours of public PoC

GreyNoise reporting indicates that internet-wide reconnaissance for CVE-2026-1731 began almost immediately after public exploit code surfaced. In its public analysis, GreyNoise states that a proof-of-concept (PoC) was posted to GitHub on 10 February 2026, and its Global Observation Grid observed reconnaissance probing by 11 February 2026, placing the PoC-to-reconnaissance window at less than 24 hours. (greynoise.io)

Timeline (observed):

• 10 February 2026: Public PoC published (GitHub). (greynoise.io)
• 11 February 2026: Internet-wide reconnaissance activity detected by GreyNoise sensors. (greynoise.io)

This accelerated transition from disclosure to scanning materially reduces the defensive window for organisations operating internet-exposed BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) infrastructure. Secondary reporting echoes GreyNoise’s “within 24 hours” assessment, reinforcing the likelihood of rapid, opportunistic targeting of exposed appliances. (securityweek.com)

CISA KEV + ransomware indicator:

BleepingComputer reports CISA added CVE-2026-1731 to KEV on 13 Feb 2026 and has now toggled the KEV field “Known To Be Used in Ransomware Campaigns?” to Known. SecurityWeek notes CISA’s KEV update explicitly reflects ransomware exploitation, while also highlighting that specific ransomware crews are not yet publicly attributed. (BleepingComputer)

Practical takeaway: once the KEV ransomware flag flips, you should assume adversaries are using access for:

• pre-ransomware positioning (credentialing, persistence, discovery, lateral movement), and/or
• data theft prior to encryption. (SecurityWeek)

Technical overview: how exploitation appears to work

Unit 42’s technical analysis ties CVE-2026-1731 to the thin-scc-wrapper component handling WebSocket connections, and describes exploitation during the WebSocket handshake by abusing the remoteVersion value—leveraging shell evaluation behaviour to reach command execution. Unit 42 references endpoints including /nw and calls out the attacker-controlled handshake value as the pivot for injection. (Unit 42)

From a detection standpoint, the most useful implications are:

• Look for unexpected WebSocket handshakes to BeyondTrust RS/PRA internet-facing interfaces.
• Hunt for odd remoteVersion-like values containing shell metacharacters or command-substitution patterns.
• Correlate handshake anomalies with subsequent appliance-level process execution and outbound C2. (Unit 42)

What intrusions look like: webshells, backdoors, remote tools

Unit 42 reports observed attacker behaviour including network reconnaissance, account creation, webshell deployment, C2 traffic, backdoors/remote management tools, lateral movement, and data theft, and specifically highlights VShell and SparkRAT associated with exploitation activity. (Unit 42)

They also note observed targeting across multiple sectors and geographies (including the U.S., France, Germany, Australia, and Canada), reinforcing that this is not a niche or region-locked campaign pattern. (Unit 42)

Timeline (key dates defenders should anchor on)

• 31 Jan 2026: BeyondTrust detects anomalous activity on a Remote Support appliance (as described in BT26-02’s timeline). (BeyondTrust)
• 2 Feb 2026: BeyondTrust states patches were automatically deployed to SaaS and to instances with update service enabled. (BeyondTrust)
• 6 Feb 2026: BeyondTrust publishes BT26-02 and CVE-2026-1731. (BeyondTrust)
• 10 Feb 2026: PoC goes public; BeyondTrust timeline also records exploitation attempts observed around this period. (greynoise.io)
• 11 Feb 2026: GreyNoise observes reconnaissance at scale (under 24 hours after PoC). (greynoise.io)
• 13 Feb 2026: CISA adds CVE-2026-1731 to KEV (per multiple secondary sources). (BleepingComputer)
• 20 Feb 2026: Reporting notes CISA’s KEV entry now indicates ransomware use. (BleepingComputer)

Indicators of Compromise (IOCs)

The following IOC set is published by Unit 42. Values are kept defanged for safe handling. (Unit 42)

Detection & hunting guidance

1. Confirm exposure
   • Identify any RS/PRA appliances reachable from the internet (especially on non-standard ports—GreyNoise notes actors deliberately probed beyond 443). (greynoise.io)
2. Log review for initial access
   • Review RS/PRA appliance logs for new inbound WebSocket sessions and suspicious handshake patterns, particularly around 10–11 Feb 2026 onwards and any unexplained activity since late January. (greynoise.io)
3. Post-exploitation telemetry
   • Hunt for:
     • unexpected account creation,
     • webshell-like PHP files and suspicious directories,
     • outbound connections to the IOC infrastructure above,
     • deployment of remote tools (Unit 42 explicitly mentions tools like SimpleHelp, AnyDesk, and tunnelling utilities in observed follow-on behaviour). (Unit 42)
4. Network controls
   • Block/alert on known bad indicators (IPs/domains/hashes) from Unit 42 where it won’t break legitimate business connectivity. (Unit 42)

MITRE ATT&CK snapshot

(Technique selection is grounded in publicly reported observations; your environment may show additional techniques depending on follow-on tooling.) (Unit 42)

Mitigation recommendations (what to do now)

If you operate self-hosted BeyondTrust RS/PRA:

• Patch immediately to RS 25.3.2+ and/or PRA 25.1.1+ (or apply BeyondTrust’s BT26-02 patches for supported older branches where applicable). (BeyondTrust)
• If you cannot patch within hours, remove external exposure and place management interfaces behind a VPN/ZTNA with strict allowlisting (Canada’s Cyber Centre explicitly recommends restricting interfaces and removing exposed instances until patched). (Canadian Centre for Cyber Security)
• Assume compromise is plausible if the appliance was internet-facing during the Feb 10–Feb 20 window (or earlier) and perform an incident review: credential resets, session key reviews, admin account audit, and targeted threat hunting using Unit 42 IOCs. (Unit 42)

Further reading

• Vendor & vulnerability record: BeyondTrust BT26-02 advisory; NVD entry for CVE-2026-1731 (BeyondTrust)
• Early-warning telemetry: GreyNoise: reconnaissance began in under 24 hours (greynoise.io)
• Intrusion tradecraft + IOCs: Unit 42: VShell & SparkRAT observed in exploitation (Unit 42)
• KEV / ransomware status reporting: BleepingComputer coverage; SecurityWeek coverage (BleepingComputer)
• Government advisory (additional mitigation framing): Canadian Centre for Cyber Security alert AL26-003 (Canadian Centre for Cyber Security)