TL;DR
- CVE-2026-1731 is a critical remote code execution (RCE) vulnerability in BeyondTrust's Remote Support and Privileged Remote Access software, with a CVSS score of 9.9 out of 10 — the near-maximum possible [1].
- Attackers do not need a username or password to exploit it: they can break in through an unauthenticated network connection and take full control of the system [2].
- CISA added it to its Known Exploited Vulnerabilities catalogue on February 13, 2026, confirming active exploitation in the wild [3].
- Over 16,400 exposed instances have been identified globally — affecting businesses in financial services, legal, healthcare, retail, and technology [2].
- The patch exists. If your business uses BeyondTrust Remote Support or Privileged Remote Access, your one action today is to check your version and apply the February 2026 update.
What Is CVE-2026-1731 and Why Should Your Business Care?
BeyondTrust is widely used by IT teams and managed service providers to remotely access, troubleshoot, and manage client systems. If your IT support team connects to your computers remotely — whether they're in-house or outsourced — there is a meaningful chance they use BeyondTrust or a product that integrates with it.
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →On February 6, 2026, BeyondTrust published a security advisory for CVE-2026-1731: a pre-authentication remote code execution (RCE) vulnerability in its remote support software [4]. "Pre-authentication" means an attacker does not need valid credentials to exploit it. They connect to the exposed WebSocket interface, send a specially crafted malformed request, and the server executes their commands with elevated privileges [2].
The vulnerability received a CVSS v4 score of 9.9 out of 10 — classifying it as critical. For context, a CVSS score of 9.0 or above represents a flaw that is trivially exploitable, broadly impactful, and requires immediate action [1]. At 9.9, this sits at the very top of the severity scale.
Within four days of a public proof-of-concept (PoC) hitting GitHub on February 10, 2026, security firm GreyNoise observed active internet-wide reconnaissance — automated scanning for vulnerable BeyondTrust instances across the public internet [5]. Within hours, that reconnaissance had escalated into actual exploitation campaigns.
Who Is Being Targeted Right Now?
This is not an abstract enterprise threat. Unit 42, Palo Alto Networks' threat intelligence team, has been actively investigating compromises tied to CVE-2026-1731 and confirmed exploitation across the following sectors in the United States, France, Germany, Australia, and Canada [2]:
- Financial services — payment processors, accounting firms, credit unions
- Legal services — law firms, paralegal providers, e-discovery vendors
- Healthcare — clinics, dental practices, allied health providers
- Wholesale and retail — point-of-sale system providers, e-commerce backends
- High technology — SaaS companies, MSPs, IT service providers
These are SMB-prevalent sectors. Attackers targeting these industries through a remote access vulnerability are not looking for a single large organisation — they are running automated scans that exploit every unpatched instance they can find. Your size provides no protection here.
According to Unit 42's telemetry, more than 16,400 instances of BeyondTrust software remain exposed to CVE-2026-1731 as of publication [2]. That number is falling as patches are applied — but if your instance is still unpatched, you are visible to anyone scanning for this vulnerability.
Related: 1 in 4 Data Breaches Now Come Through Your Vendors
What Do Attackers Do Once They're In?
Unit 42's investigation into active exploitation campaigns documents the attack chain in detail [2]. After exploiting the vulnerability to gain initial access, observed attacker activity includes:
- Creating domain accounts to establish persistence — meaning they maintain access even if the entry point is closed
- Installing remote management tools (specifically VShell backdoor and SparkRAT) to maintain covert access independent of BeyondTrust
- Network reconnaissance — mapping domain administrators, identifying trust relationships, and enumerating connected systems
- Lateral movement — pivoting from the compromised BeyondTrust server into connected workstations, file servers, and cloud environments
- Data exfiltration — copying sensitive files before deploying any visible payload
This attack chain is notable for one reason: by the time encryption or ransom demands appear, attackers have already spent days or weeks inside the network, copying data and creating hidden accounts. Encryption is often the last step — and by then, the attacker has leverage that goes far beyond access.
CISA's February 13 addition of CVE-2026-1731 to its Known Exploited Vulnerabilities Catalogue also updated the entry to confirm exploitation specifically in ransomware campaigns [3][6].
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →How to Check and Fix This Right Now
If your business uses BeyondTrust Remote Support or Privileged Remote Access, follow these steps:
Step 1: Identify whether you are running BeyondTrust Remote Support or Privileged Remote Access
If your IT provider manages your systems remotely, ask them which tool they use. If you self-host a BeyondTrust appliance, check your admin console for the current version number.
Step 2: Apply the February 2026 patch
BeyondTrust released fixes for CVE-2026-1731 in its February 2026 security advisory (BT26-02) [4]. If you are using the cloud-hosted version of BeyondTrust, the patch has already been applied by BeyondTrust. If you are running a self-hosted appliance, you must apply the patch manually unless you have automatic updates enabled in the appliance interface.
Log into your appliance management interface and check "Software Management" or "Updates" for the February 2026 release. Apply immediately if not already applied.
Step 3: Review for indicators of compromise
If your BeyondTrust instance was exposed to the internet before the patch was applied, treat it as potentially compromised. Review authentication logs for unexpected account creation, unusual login times, or unfamiliar device connections. Check for new local or domain administrator accounts you did not create. Look for unexpected outbound connections from your BeyondTrust server — particularly to unfamiliar IP addresses [2].
Arctic Wolf and Darktrace have both published detection guidance specific to CVE-2026-1731 exploitation activity [7][8].
Step 4: Restrict internet exposure of remote access tools
Remote access management interfaces — BeyondTrust or otherwise — should not be exposed to the open internet without additional controls. At minimum: enforce MFA on all administrative accounts, restrict access by IP allowlist where possible, and place the management interface behind a VPN or zero-trust network access (ZTNA) solution.
Related: How AI-Powered Phishing Is Changing the Threat Landscape
The Broader Lesson: Remote Access Tools Are Your Front Door
CVE-2026-1731 is a specific bug in a specific product — but it illustrates a structural issue that affects every business using remote access tools.
Remote support software gives IT providers elevated access to your most sensitive systems. That is its job. But that access profile also makes it one of the most valuable targets for attackers. A single compromised remote access tool can give an attacker the same level of access as your most trusted IT administrator — across every system they can reach.
Unit 42's 2026 Global Incident Response Report found that identity weaknesses — including compromised credentials and misused remote access tools — played a material role in nearly 90% of all major incidents investigated [9]. Attacks aren't usually sophisticated zero-day exploits. They are attackers logging in with stolen or exploited access and walking around like they belong there.
The businesses that close these gaps are not the ones with the most technology. They are the ones that know what remote access exists in their environment, who has it, and what it can reach — and they audit that picture regularly.
FAQ
CVE-2026-1731 is a critical remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access software. It received a CVSS v4 score of 9.9/10. It allows unauthenticated attackers — those without any login credentials — to execute arbitrary commands on the affected system by sending a malformed request to the software's WebSocket interface [1][2].
Your business may be affected if you use BeyondTrust Remote Support or Privileged Remote Access, either self-hosted or through a managed service provider that uses these tools. Cloud-hosted instances were patched by BeyondTrust directly; self-hosted appliances require a manual update unless automatic updates were enabled. Ask your IT provider if BeyondTrust is in your environment.
Look for: unexpected new user accounts (local or domain-level), unfamiliar outbound network connections from your remote access server, authentication logs showing logins from unusual IP addresses or at unusual times, and presence of unfamiliar remote management software on servers. If you suspect compromise, engage a professional incident responder before making changes to preserve forensic evidence [2][7].
CISA's KEV catalogue is a list maintained by the U.S. Cybersecurity and Infrastructure Security Agency of vulnerabilities that have been confirmed to be actively exploited in real-world attacks. Inclusion in the KEV mandates immediate patching for U.S. federal agencies and serves as a strong signal to private sector organisations that the risk is real and current [3].
Apply patches promptly — within 48-72 hours for critical severity. Restrict internet exposure of management interfaces to known IP ranges. Require MFA on all administrative accounts. Audit what remote access tools are in your environment quarterly. Use network segmentation so that a compromised remote access server cannot directly reach your most sensitive data. Consider zero-trust network access (ZTNA) as a structural alternative to traditional VPN-based remote access.
References
[1] NIST National Vulnerability Database, "CVE-2026-1731 Detail," NVD, Feb. 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-1731
[2] Palo Alto Networks Unit 42, "VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)," Unit 42 Threat Intelligence, Feb. 2026. [Online]. Available: https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
[3] CISA, "Known Exploited Vulnerabilities Catalog — CVE-2026-1731," U.S. Cybersecurity and Infrastructure Security Agency, Feb. 13, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] BeyondTrust, "Security Advisory BT26-02," BeyondTrust Trust Center, Feb. 6, 2026. [Online]. Available: https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
[5] GreyNoise, "Reconnaissance Has Begun for the New BeyondTrust RCE CVE-2026-1731," GreyNoise Blog, Feb. 2026. [Online]. Available: https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
[6] SecurityWeek, "BeyondTrust Vulnerability Exploited in Ransomware Attacks," SecurityWeek, Feb. 20, 2026. [Online]. Available: https://www.securityweek.com/beyondtrust-vulnerability-exploited-in-ransomware-attacks/
[7] Arctic Wolf, "CVE-2026-1731: Critical BeyondTrust Remote Support Flaw," Arctic Wolf Blog, Feb. 2026. [Online]. Available: https://arcticwolf.com/resources/blog/cve-2026-1731/
[8] Darktrace, "CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding," Darktrace Blog, Feb. 2026. [Online]. Available: https://www.darktrace.com/blog/cve-2026-1731-how-darktrace-sees-the-beyondtrust-exploitation-wave-unfolding
[9] Palo Alto Networks Unit 42, "2026 Unit 42 Global Incident Response Report – Attacks Now 4x Faster," Palo Alto Networks Community Blog, Feb. 2026. [Online]. Available: https://live.paloaltonetworks.com/t5/community-blogs/2026-unit-42-global-incident-response-report-attacks-now-4x/ba-p/1248694
[10] Orca Security, "CVE-2026-1731: Critical BeyondTrust Remote Support Flaw," Orca Security Blog, Feb. 2026. [Online]. Available: https://orca.security/resources/blog/cve-2026-1731-beyondtrust-vulnerability/
[11] CISA, "Known Exploited Vulnerabilities — About," U.S. Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities
[12] Verizon, "2024 Data Breach Investigations Report," Verizon Business, 2024. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
Your remote access tools are some of the most privileged software in your environment — and the most valuable targets. lilMONSTER can audit your remote access setup, review your patch status, and identify gaps before they become incidents. Book a free consultation at consult.lil.business — the audit takes an afternoon; the alternative takes months.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Imagine giving your IT person a spare key to your office so they can fix things remotely — but a hacker just made a copy of that key without needing the original.
- A critical security bug (called CVE-2026-1731) in a common IT remote access tool called BeyondTrust lets attackers walk straight in — no password needed.
- It has a 9.9/10 severity score, the nearly-highest possible rating [1].
- Over 16,000 businesses are still vulnerable to this right now [2].
- The fix exists — your IT team needs to apply it today.
Your IT Support Team Has a Remote Key to Your Business
Think about your business like a building. You've got an office — computers, files, customer records, maybe payment systems. And your IT support team, whether they're in-house or outsourced, has a spare key. That's how remote support works. They connect to your computer from their location and fix things without having to drive over.
One of the tools used for this is called BeyondTrust. It's used by thousands of IT teams worldwide — probably including the people who look after your systems.
In February 2026, security researchers discovered a critical flaw in BeyondTrust [3]. They found that a hacker could walk up to the "digital door" of BeyondTrust's software, without any key at all, say something specific to the lock mechanism — and the door just... opens.
No username. No password. No security badge. Just walk right in [2].
How Serious Is This?
Security experts rate vulnerabilities on a scale from 0 to 10. Zero is "basically harmless." Ten is "drop everything right now."
CVE-2026-1731 scored 9.9 out of 10 [1].
The US government's cybersecurity agency, CISA, added it to its official list of vulnerabilities that are actively being exploited in the real world [3]. That's their way of saying: this isn't theoretical. Hackers are already using this.
By mid-February, security researchers confirmed that within 24 hours of a working attack method being posted online, automated bots were scanning the entire internet looking for businesses with vulnerable software [4]. It's like picking a lock in public, posting the technique on YouTube, and coming back the next day to find a thousand people checking your door.
Who Gets Hit?
This tool is used across many types of businesses — not just big corporations. Unit 42, a security research team that investigated real attacks using this flaw, found victims in [2]:
- Legal firms (law offices, paralegal services)
- Financial businesses (accountants, credit unions, payment processors)
- Healthcare providers (clinics, dental practices)
- Retail businesses
- Technology companies
If your IT team remotely accesses your computers — and most do — it's worth asking them right now: "Do you use BeyondTrust?"
What Happens After Attackers Get In?
Once inside, attackers don't immediately lock your files and demand money. That's the last step.
First, they quietly look around. They create new accounts so they can come back even if the original entry is fixed. They copy your files to their own systems. They figure out which other computers they can reach. Only once they've been in for days or weeks — copying everything valuable — do they show you the ransom note [2].
By then, they have leverage that goes beyond access. Even if you refuse to pay, they have your data and can threaten to post it publicly.
What You Should Do Right Now
This is a three-step fix:
Step 1: Ask your IT team. "Do we use BeyondTrust Remote Support or Privileged Remote Access, and has the February 2026 security update been applied?"
Step 2: Verify the patch is applied. If you have a self-hosted BeyondTrust setup (meaning it runs on your own servers), the patch does not apply itself — someone needs to install it manually. If you use the cloud-hosted version, it was patched automatically by BeyondTrust.
Step 3: Make sure your remote access tools aren't open to the whole internet. Any tool that lets IT teams into your systems should only be accessible to specific, trusted IP addresses — not the entire internet. Your IT team can configure this, and it closes off a huge class of attacks before they start.
Remote access tools are the spare key to your business. At lil.business, we help SMBs understand who has access to their systems, make sure that access is locked down, and audit for exactly these kinds of vulnerabilities before attackers find them first. Book a free consultation at consult.lil.business — it's a short conversation that could save you months of headaches.
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] NIST National Vulnerability Database, "CVE-2026-1731 Detail," NVD, Feb. 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-1731
[2] Palo Alto Networks Unit 42, "VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)," Unit 42 Threat Intelligence, Feb. 2026. [Online]. Available: https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
[3] CISA, "Known Exploited Vulnerabilities Catalog," U.S. Cybersecurity and Infrastructure Security Agency, Feb. 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] GreyNoise, "Reconnaissance Has Begun for the New BeyondTrust RCE CVE-2026-1731," GreyNoise Blog, Feb. 2026. [Online]. Available: https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
