BACK TO NEWS
CERT Advisories

CISA Flags Actively Exploited BeyondTrust Remote Support Vulnerability (CVE-2026-1731)

2 min readSource: CISA Cybersecurity Advisories
CVE-2026-1731

CISA adds CVE-2026-1731 to its KEV Catalog after confirming active exploitation of this critical BeyondTrust Remote Support flaw. Immediate patching urged.

CISA Adds Actively Exploited BeyondTrust Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1731, a critical vulnerability in BeyondTrust Remote Support (RS), to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation in the wild. Federal agencies and organizations are urged to prioritize remediation.

Technical Details

  • CVE ID: CVE-2026-1731
  • Affected Product: BeyondTrust Remote Support (RS)
  • Vulnerability Type: Details pending (likely remote code execution or authentication bypass based on active exploitation)
  • Exploitation Status: Confirmed in-the-wild attacks
  • CISA Deadline for Federal Agencies: [To be announced; typically within 2–4 weeks of KEV addition]

At the time of publication, BeyondTrust has not released a public advisory detailing the vulnerability’s root cause or CVSS severity score. However, inclusion in CISA’s KEV Catalog indicates the flaw poses a significant risk to unpatched systems.

Impact Analysis

Active exploitation of CVE-2026-1731 could enable threat actors to:

  • Gain unauthorized access to sensitive systems via BeyondTrust RS deployments
  • Escalate privileges within compromised networks
  • Deploy additional malware or ransomware payloads
  • Exfiltrate data from vulnerable endpoints

BeyondTrust RS is widely used by enterprises for secure remote access, making this vulnerability a high-value target for attackers. Federal agencies under CISA’s Binding Operational Directive (BOD) 22-01 are required to remediate the flaw by the specified deadline.

Recommendations

  1. Immediate Patching: Apply the latest BeyondTrust RS security update as soon as it becomes available. Monitor BeyondTrust’s advisory page for official guidance.
  2. Network Segmentation: Isolate BeyondTrust RS servers from untrusted networks until patches are applied.
  3. Monitor for Exploitation: Review logs for unusual activity, such as:
    • Unauthorized access attempts to BeyondTrust RS instances
    • Suspicious outbound connections from affected servers
  4. Federal Agencies: Comply with CISA’s remediation deadline once announced. Document mitigation efforts if patching is delayed.
  5. Threat Hunting: Leverage indicators of compromise (IOCs) from CISA or BeyondTrust to detect potential breaches.

CISA will update its KEV entry with additional details as they emerge. Organizations are advised to subscribe to CISA’s alerts for real-time updates.

Original source: CISA Alert (February 13, 2026)

Share

TwitterLinkedIn