Active In-the-Wild Exploitation of BeyondTrust Critical Vulnerability
This summary covers the recent discovery of in-the-wild exploitation targeting CVE-2026-1731, a critical unauthenticated remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access products, with threat actors rapidly deploying reconnaissance and attack tools following public disclosure of a proof-of-concept.
Vulnerability Technical Details
CVE-2026-1731 resides in the get_portal_info endpoint of BeyondTrust products, allowing unauthenticated attackers to extract sensitive configuration data such as the x-ns-company value. This data enables the establishment of a WebSocket channel for further exploitation, culminating in remote code execution without authentication. The flaw stems from inadequate input validation and access controls in the API handler, where user-supplied parameters are processed without proper sanitization, leading to arbitrary command injection when combined with WebSocket session hijacking.
Observed Attack Patterns
Threat intelligence firms detected exploitation attempts within 24 hours of proof-of-concept availability. Attackers initiate reconnaissance by querying the vulnerable endpoint to harvest company identifiers, followed by WebSocket connections mimicking legitimate sessions. A single IP address, linked to a Frankfurt-based commercial VPN, accounted for 86 percent of scans, indicating an established scanning operation that swiftly integrated the vulnerability into its toolkit. GreyNoise and watchTowr sensors globally confirmed these activities, highlighting the speed of adversary adaptation.
Technical Exploitation Mechanics
Exploitation begins with an HTTP GET request to /api/get_portal_info, supplying crafted parameters to bypass session checks. The response leaks internal tokens, which are reused in a WebSocket upgrade request over wss://target/api/ws. Once connected, attackers inject JavaScript payloads via the channel, executing system commands through BeyondTrust’s privileged access mechanisms. This chain achieves RCE by leveraging the product’s own elevation privileges, often resulting in persistent backdoor deployment without triggering host-based defenses.
CISA Response and Mitigation Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog on February 13, 2026, mandating Federal Civilian Executive Branch agencies to apply patches by February 16, 2026. Additional KEV entries include flaws in Apple, Microsoft, SolarWinds, and Notepad++, with remediation deadlines extending to March 5, 2026. Organizations must disable the affected API endpoints, enforce network segmentation for BeyondTrust instances, and monitor for anomalous WebSocket traffic patterns indicative of exploitation.
Broader Implications for Privileged Access Management
This incident underscores risks in privileged remote access solutions, where misconfigured APIs serve as high-value attack vectors. Defenders should implement zero-trust principles, including continuous API behavioral analysis and runtime protection for management interfaces. BeyondTrust has released patches version 22.5.4 and above, which introduce strict parameter whitelisting and JWT-based authentication for all endpoints.