Overview
- Researchers at watchTowr confirmed first in-the-wild attacks on CVE-2026-1731 (CVSS 9.9), a flaw that enables unauthenticated remote code execution via crafted requests.
- Observed exploits query the /get_portal_info endpoint to extract the X-Ns-Company value before opening a WebSocket channel to execute commands on vulnerable systems.
- Patches are available in Remote Support 25.3.2 and later (BT26-02-RS) and Privileged Remote Access 25.1.1 and later (BT26-02-PRA), with BeyondTrust auto-updating SaaS on February 2 while on-prem customers must patch manually.
- Hacktron estimated about 11,000 internet-exposed Remote Support instances, including roughly 8,500 on-prem deployments, and researchers advise assuming compromise for unpatched systems.
- Rapid7’s technical analysis and PoC preceded reconnaissance and limited exploitation seen by Defused Cyber and GreyNoise, which noted Nuclei-based scans and probes on non-standard ports, as CISA’s new KEV entries reinforce the urgency to remediate.