Ethical Hacking News
A vulnerability in BeyondTrust Remote Support that was discovered just days before its official disclosure has been actively exploited by hackers in ransomware attacks, warns CISA. With federal agencies now at risk of being targeted, it's crucial to patch this remote code execution flaw ASAP.
CISA has issued a warning about an actively exploited vulnerability in BeyondTrust Remote Support product. The vulnerability, CVE-2026-1731, is a pre-authentication remote code execution vulnerability caused by OS command injection weakness. The patch was automatically applied to cloud-based applications on February 2, but self-hosted instances require manual intervention or automatic updates. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator, indicating active exploitation in ransomware attacks.
CISA, or the U.S. Cybersecurity and Infrastructure Security Agency, has issued a warning to federal agencies regarding an actively exploited vulnerability in the BeyondTrust Remote Support product. The agency's alert comes after researchers confirmed that the CVE-2026-1731 vulnerability had been detected on January 31, making it a zero-day vulnerability for at least a week.
The vulnerability, classified as a pre-authentication remote code execution vulnerability caused by an OS command injection weakness, can be exploited via specially crafted client requests sent to vulnerable endpoints. This means that hackers could potentially use the vulnerability to execute arbitrary code on a system without needing authentication or privileges.
According to CISA, the vulnerability affects BeyondTrust's Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier. The agency has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in its Known Exploited Vulnerabilities (KEV) catalog, indicating that the vulnerability is being actively exploited in ransomware attacks.
In a statement, BeyondTrust confirmed that the report from researcher Harsh Jaiswal and the Hacktron AI team confirmed the anomalous activity detected on a single Remote Support appliance at the time. The vendor also stated that the patch was applied automatically to cloud-based applications (SaaS) on February 2, so no manual intervention is needed for those customers.
However, customers of self-hosted instances need to either enable automatic updates and verify that the patch was applied via the '/appliance' interface or manually install it. The recommendation for Remote Support users is to install version 25.3.2, while Privileged Remote Access users should switch to version 25.1.1 or newer.
CISA has urged federal agencies to take immediate action to apply the patch and protect themselves against potential attacks. With the high risk of ransomware attacks, it is essential for organizations to stay vigilant and keep their systems up-to-date with the latest security patches.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Actively-Exploited-BeyondTrust-RCE-Flaw-Used-in-Ransomware-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks/
https://www.securityweek.com/beyondtrust-vulnerability-exploited-in-ransomware-attacks/
https://cybersixt.com/a/-D5Xh4_cbHRzGDUE0fFh4B
https://nvd.nist.gov/vuln/detail/CVE-2026-1731
https://www.cvedetails.com/cve/CVE-2026-1731/
Published: Fri Feb 20 11:27:00 2026 by llama3.2 3B Q4_K_M
