Vulnerability Database / CVE-2026-1731 CVE-2026-1731: BeyondTrust Remote Support RCE Vulnerability CVE-2026-1731 is a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and older Privileged Remote Access versions. Attackers can execute OS commands without authentication. Published : February 13, 2026 CVE-2026-1731 Overview BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. Critical Impact Unauthenticated attackers can achieve remote code execution by sending specially crafted requests to vulnerable BeyondTrust Remote Support and Privileged Remote Access instances, allowing complete system compromise without requiring any credentials. Affected Products BeyondTrust Remote Support (RS) BeyondTrust Privileged Remote Access (PRA) - certain older versions Discovery Timeline 2026-02-06 - CVE CVE-2026-1731 published to NVD 2026-02-09 - Last updated in NVD database Technical Details for CVE-2026-1731 Vulnerability Analysis This pre-authentication remote code execution vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on affected BeyondTrust systems. The vulnerability exists due to improper neutralization of special elements in user-supplied input, which is subsequently passed to OS command execution functions. Because authentication is not required to exploit this flaw, any network-accessible instance of BeyondTrust Remote Support or vulnerable versions of Privileged Remote Access is at immediate risk. The attack can be executed remotely over the network without requiring user interaction, making it particularly dangerous for internet-facing deployments. Commands executed through this vulnerability run in the context of the site user, potentially allowing attackers to gain a foothold on the target system, exfiltrate sensitive data, or pivot to other systems within the network. Root Cause The root cause of CVE-2026-1731 is an OS Command Injection vulnerability (CWE-78). The application fails to properly sanitize or validate user-controlled input before incorporating it into operating system commands. This allows attackers to inject malicious command sequences that are then executed by the underlying operating system. The pre-authentication nature of the vulnerability suggests that the vulnerable code path is accessible before any authentication checks are performed. Attack Vector The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by crafting malicious HTTP requests containing OS command injection payloads. The specially crafted requests bypass input validation and allow command execution in the context of the site user account. Organizations with internet-exposed BeyondTrust Remote Support or Privileged Remote Access instances are at highest risk, though internal attackers with network access could also exploit this vulnerability. The vulnerability mechanism involves improper handling of user-supplied input that gets passed to system command execution functions. For technical details on the specific exploitation techniques and affected components, refer to the BeyondTrust Security Advisory BT26-02 . Detection Methods for CVE-2026-1731 Indicators of Compromise Unusual HTTP requests to BeyondTrust Remote Support or PRA endpoints containing shell metacharacters or command injection patterns Unexpected processes spawned by the BeyondTrust application service account or site user context Abnormal outbound network connections from BeyondTrust servers to unknown or suspicious destinations Evidence of command execution artifacts such as unexpected files, scheduled tasks, or user accounts Detection Strategies Deploy web application firewall (WAF) rules to detect and block common OS command injection patterns in requests to BeyondTrust services Implement network intrusion detection signatures for known command injection attack patterns targeting BeyondTrust products Monitor BeyondTrust application logs for malformed requests or error messages indicating injection attempts Enable endpoint detection and response (EDR) monitoring on BeyondTrust servers to detect post-exploitation activity Monitoring Recommendations Establish baseline behavior for BeyondTrust application processes and alert on deviations such as unexpected child processes or network connections Implement log aggregation and SIEM correlation for BeyondTrust access logs, web server logs, and system event logs Configure alerts for authentication failures followed by successful command exec