CVE-2026-1731 BeyondTrust CVE debrief

Who should care

Administrators and security teams responsible for BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), especially if any deployments are internet accessible. Incident response and vulnerability management teams should also prioritize this issue because CISA lists it in KEV and flags known ransomware campaign use.

Technical summary

CISA classifies CVE-2026-1731 as an OS command injection affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The KEV entry indicates known exploitation and notes known ransomware campaign use. No affected version range, exploit mechanics, or CVSS score are provided in the supplied corpus.

Defensive priority

Urgent. Treat this as a high-priority remediation item because it is in CISA KEV, has a short due date, and is associated with known ransomware campaign use.

Recommended defensive actions

• Apply vendor-recommended mitigations immediately.
• If mitigations are unavailable, discontinue use of the product where appropriate.
• Check all internet-accessible affected BeyondTrust systems for signs of compromise.
• Follow CISA BOD 22-01 guidance for cloud services where applicable.
• Verify mitigation or patch status and document exposure until remediation is complete.

Evidence notes

The supplied authoritative evidence is the CISA KEV record and its raw JSON feed entry, which identify BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) as the affected products, classify the issue as an OS command injection vulnerability, mark known ransomware campaign use as Known, and provide dateAdded 2026-02-13 with dueDate 2026-02-16. Official CVE and NVD links were supplied, but the corpus does not include additional vendor advisory text, affected versions, or CVSS data.

Official resources