Threat Intelligence / CVE / CVE-2026-1731
CVE-2026-1731
CISA KEVRansomwareBeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-78
Threats tracking this CVE
- CVE-2026-1731 — BeyondTrust Pre-Auth RCE, CVSS 9.8, CISA KEV, Actively Exploited — Unauthenticated OS Command Injection in Remote Support & Privileged Remote Access, SimpleHelp RAT Post-Exploitation, Full Domain Control, Silk Typhoon Predecessor Chain — CRITICAL
- BeyondTrust Pre-Auth RCE (CVE-2026-1731) — CVSS 9.9, CISA KEV, WebSocket Command Injection, VShell/SparkRAT, 16K+ Exposed Instances, Multi-Sector Campaign — CRITICAL
References
- https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- https://github.com/win3zz/CVE-2026-1731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1731
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
Full detection coverage & IOCs for threats exploiting CVE-2026-1731 are available via the Threadlinqs MCP server (Purple tier). View plans →