Skip to content blog Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability (CVE-2026-1731) Estimated reading time: 6 minutes Key Takeaways: Critical Vulnerability: CVE-2026-1731 allows unauthenticated remote code execution (RCE) on BeyondTrust Privileged Remote Access systems. Active Exploitation: Threat actors are weaponizing proof-of-concept exploits within 24 hours of disclosure. CISA Updates: Four additional major vulnerabilities in Apple, Notepad++, SolarWinds, and Microsoft have been added to the KEV catalog. Supply Chain Risk: The Lotus Blossom group is targeting software update mechanisms to deliver undocumented backdoors. Immediate Action: Patching is mandatory for BeyondTrust PRA versions 22.1 through 24.X. Table of Contents: Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability Analysis of CVE-2026-1731 and the Attack Lifecycle Expansion of the Known Exploited Vulnerabilities (KEV) Catalog CVE-2026-20700: Memory Buffer Vulnerability in Apple Ecosystem CVE-2025-15556: Notepad++ Supply Chain Compromise CVE-2025-40536: SolarWinds Web Help Desk Security Bypass CVE-2024-43468: Microsoft Configuration Manager SQL Injection Technical Implications of State-Sponsored Activity The Role of Monitoring in Mitigating Rapid Exploitation Practical Takeaways for Technical and Business Leaders Strategic Defensive Measures Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability Security researchers have identified active, in-the-wild exploitation of a critical vulnerability in BeyondTrust Privileged Remote Access (PRA). The flaw, identified as CVE-2026-1731 with a CVSS score of 9.9 , allows unauthenticated attackers to achieve remote code execution (RCE) on affected systems. This vulnerability represents a significant risk to organizations using BeyondTrust for secure access management, as it permits the execution of arbitrary operating system commands within the context of the site user. The exploitation of CVE-2026-1731 involves a multi-step process targeting specific components of the BeyondTrust PRA interface. Threat intelligence sensors, including those operated by watchTowr, first recorded the activity on February 12, 2026. Attackers are abusing the get_portal_info function to extract the x-ns-company value. Once this value is obtained, the attacker establishes a WebSocket channel to facilitate command execution. Because this is an unauthenticated RCE vulnerability , no valid credentials are required for initial access. Successful exploitation leads to unauthorized data access, exfiltration of sensitive information, and total service disruption. BeyondTrust has confirmed that all versions of Privileged Remote Access between 22.1 and 24.X are vulnerable . Organizations must apply Patch BT26-02-PRA to secure these systems. Notably, PRA versions 25.1 and higher contain the necessary security controls to prevent this exploit and do not require additional patching for this specific CVE. GreyNoise and Defused Cyber have corroborated these findings, observing reconnaissance and exploitation attempts within 24 hours of a proof-of-concept (PoC) exploit becoming public. Intelligence data indicates that a significant portion of the observed scanning activity-approximately 86% of sessions -originates from a single IP address associated with a commercial VPN provider based in Frankfurt. This suggests a coordinated effort by established scanning operations to integrate CVE-2026-1731 checks into their automated toolkits. Analysis of CVE-2026-1731 and the Attack Lifecycle The speed at which CVE-2026-1731 was weaponized demonstrates the narrow window available to security teams. When a critical vulnerability is disclosed, threat actors utilize automated scanners to identify exposed instances globally. For organizations, maintaining an effective cyber threat intelligence platform is necessary to identify these scanning trends before exploitation occurs. The attack methodology-targeting get_portal_info -is a focused approach to bypass traditional authentication layers. By establishing a WebSocket channel, attackers create a persistent communication stream that can be used to funnel commands and exfiltrate data. This type of activity often precedes the deployment of more damaging payloads. Integrating a live ransomware API into security operations can help teams correlate these initial access attempts with known ransomware precursor activities. Expansion of the Known Exploited Vulnerabilities (KEV) Catalog The exploitation of the BeyondTrust vulnerability coincides with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding four other significant flaws to its Known Exploited Vulnerabilities (KEV) catalog. These additions highlight the diverse range of software currently under active attack. CVE-2026-20700: Memory Buffer Vulnerability in Apple Ecosystem (CVSS 7.8) Apple recently patched CVE-2026-20700 , an improper restriction of