What is CVE-2026-1731?
CVE-2026-1731 is a critical remote code execution vulnerability affecting certain versions of BeyondTrust Remote Support and Privileged Remote Access. If exploited, it could allow an attacker to gain unauthorized access to the system hosting the software.
Which BeyondTrust products are affected?
According to BeyondTrust, the affected versions are:
- Remote Support: version 25.3.1 and earlier
- Privileged Remote Access: version 24.3.4 and earlier
Customers on a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 will need to upgrade to a newer version to apply this patch.
Are all BeyondTrust/Bomgar customers affected?
No. BeyondTrust states that observed exploitation was limited to internet-facing, self-hosted environments that were not patched before February 9, 2026. BeyondTrust also states that its SaaS instances were patched by February 2, 2026.
How do I know if I am at risk?
You may be at increased risk if:
- you use a self-hosted BeyondTrust/Bomgar deployment
- the instance is accessible from the internet
- the system is running an affected version
- the instance was not patched promptly
What should I do first?
We recommend taking these steps as soon as possible:
- Identify your deployment type — self-hosted or SaaS
- Confirm your version
- Apply the vendor’s patch or upgrade immediately
- Review the host for signs of unauthorized access or persistence
- Audit user accounts and remote access tooling
What version should I update to?
BeyondTrust recommends:
- Remote Support: apply BT26-02-RS for versions 21.3 through 25.3.1, or upgrade to 25.3.2 or later
-
Privileged Remote Access: apply BT26-02-PRA for versions 22.1 through 24.x, or upgrade to 25.1 or later
What if I am running an older unsupported version?
BeyondTrust states that customers running:
- Remote Support older than 21.3
- Privileged Remote Access older than 22.1
must first upgrade to a supported version before applying the relevant patch.
Is patching enough?
Patching is the most important first step, but patching alone may not fully remove an attacker if they already gained access before the update was applied. That is why it is important to also review the affected system for persistence, unauthorized accounts, unexpected remote access tools, or other signs of compromise.
What signs should I look for?
You should review for:
- unexpected or newly created user accounts
- suspicious password changes
- unauthorized remote access tools
- unusual admin activity
- unexpected processes, services, or scheduled tasks
- signs of ransomware or unauthorized command execution
Should I contact BeyondTrust?
Yes. BeyondTrust recommends that self-hosted customers with internet-exposed instances that remained unpatched as of February 9, 2026 open a Severity 1 support case and reference BT26-02.
Am I protected with Huntress?
Our SOC is actively monitoring for indicators of compromise (IoCs) associated with CVE-2026-1731 and will alert you if any suspicious activity is detected on this host. We would recommend that you prioritize the patching steps above. If you receive an alert from Huntress, we will provide specific guidance on next steps.
Where can I find the official vendor guidance?
Please review BeyondTrust’s advisory here: BeyondTrust Security Advisory BT26-02