INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Critical Remote Support Vulnerability Exploit Flaw Found
| 2026-02-09 13:07 CRITICAL HIGHExecutive Summary AI-generated
The Chinese cyberspies have also targeted the Committee on Foreign Investment in the United States, which reviews foreign investments for national security risks, and the Office of Foreign Assets Control, which administers U.S. sanctions programs. This is not an isolated incident as CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered US government agencies to secure their networks within a week. BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, advising customers to patch their systems manually due to the vulnerability. This highlights the ongoing threat of state-sponsored hacking groups like Silk Typhoon, which have been linked to previous attacks on US companies and government agencies.
Technical Mitigations AI-generated
* Patch RS/PSA software to the latest version: Customers should upgrade their Remote Support (RS) and Privileged Remote Access (PRA) products to the latest versions, specifically Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later.
* Implement secure authentication mechanisms: Organizations should ensure that all users have strong authentication credentials before allowing access to remote support tools, and consider implementing multi-factor authentication (MFA) for added security.
* Monitor network traffic for suspicious activity: IT teams should regularly monitor network traffic for signs of unauthorized access attempts, and implement measures such as intrusion detection systems (IDS), firewalls, and antivirus software to detect and respond to potential threats.
* Regularly update and patch operating systems and applications: Ensure that all operating systems, applications, and services are up-to-date with the latest security patches, including those related to remote code execution vulnerabilities like CVE-2026-1731.
* Implement a secure incident response plan: Organizations should have a well-defined incident response plan in place to quickly respond to potential attacks, minimize damage, and contain the threat.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2024-12686CVE-2024-12686
CVE-2026-1731CVE-2026-1731
CVE-2024-12356CVE-2024-12356
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
governmentgovernment
Incident Timeline
June 2025
Attackers used a stolen API key to compromise 17 Remote Support SaaS instances after breaching BeyondTrust's systems.
Click on any entity below to view its context and source!
tactic
Remote Code Execution
"
In June 2025, BeyondTrust fixed
a high-severity RS/PRA Server-Side Template Injection vulnerability
that could also allow unauthenticated attackers to gain remote code execution.
tactic
T1584.004 - Server
"
In June 2025, BeyondTrust fixed
a high-severity RS/PRA Server-Side Template Injection vulnerability
that could also allow unauthenticated attackers to gain remote code execution.
tactic
T1221 - Template Injection
"
In June 2025, BeyondTrust fixed
a high-severity RS/PRA Server-Side Template Injection vulnerability
that could also allow unauthenticated attackers to gain remote code execution.
organisation
CVE-2026
Previous BeyondTrust flaws targeted as zero-days
While the company has yet to say whether attackers have exploited the recently patched CVE-2026-1731 vulnerability in the wild, other BeyondTrust RS/PRA security flaws have been targeted in recent years.
organisation
Previous BeyondTrust
Previous BeyondTrust flaws targeted as zero-days
While the company has yet to say whether attackers have exploited the recently patched CVE-2026-1731 vulnerability in the wild, other BeyondTrust RS/PRA security flaws have been targeted in recent years.
organisation
BeyondTrust RS
Previous BeyondTrust flaws targeted as zero-days
While the company has yet to say whether attackers have exploited the recently patched CVE-2026-1731 vulnerability in the wild, other BeyondTrust RS/PRA security flaws have been targeted in recent years.
organisation
the Committee on Foreign Investment
The Chinese cyberspies have also targeted
the Committee on Foreign Investment in the United States (CFIUS)
, which reviews foreign investments for national security risks, and
the Office of Foreign Assets Control (OFAC)
, which administers U.S. sanctions programs.
organisation
the Office of Foreign Assets Control (OFAC
The Chinese cyberspies have also targeted
the Committee on Foreign Investment in the United States (CFIUS)
, which reviews foreign investments for national security risks, and
the Office of Foreign Assets Control (OFAC)
, which administers U.S. sanctions programs.
organisation
The U.S. Treasury Department
The U.S. Treasury Department revealed less than one month later that
its network had been hacked
in an incident later
linked to the Silk Typhoon Chinese state-backed hacking group
.
organisation
API
For instance, two years ago, attackers used a stolen API key to compromise 17 Remote Support SaaS instances after
breaching BeyondTrust's systems
using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686).
organisation
Treasury
Silk Typhoon is believed to have stolen unclassified information about potential sanctions actions and other similarly sensitive documents from the Treasury's compromised BeyondTrust instance.
organisation
Remote Access
Remote Support is the company's enterprise-grade remote support solution that helps IT support teams troubleshoot issues remotely, while Privileged Remote Access serves as a secure gateway that enforces authorization rules for specific systems and resources.
organisation
Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation
Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
victims
20,000 customers
BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of Fortune 100 companies worldwide.
January 31, 2026
Threat actors exploited a critical Remote Access Security System (RASS) vulnerability in BeyondTrust's remote support software.
Click on any entity below to view its context and source!
general_metric
11,000 instances
According to security researcher and Hacktron AI co-founder Harsh Jaiswal, the vulnerability was discovered on January 31, 2026, through an artificial intelligence (AI)-enabled variant analysis, adding that it found about 11,000 instances exposed to the internet.
February 2, 2026
Threat actors exploited a remote support software vulnerability to gain unauthorized access and compromise systems.
Click on any entity below to view its context and source!
tactic
Exfiltration
"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven't enabled automatic updates.
infrastructure
25.3.2
"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven't enabled automatic updates.
infrastructure
25.1.1
"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven't enabled automatic updates.
February 6, 2026
Threat actors exploited a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA).
Click on any entity below to view its context and source!
tactic
Remote Code Execution
"BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability," the company
said
in an advisory released February 6, 2026.
organisation
Privileged Remote Access
"BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability," the company
said
in an advisory released February 6, 2026.
Feb 09, 2026
Threat actors exploited a previously unknown remote access vulnerability in BeyondTrust's remote support software to gain unauthorized access.
2026-02-09
BeyondTrust warned of a critical pre-authentication remote code execution vulnerability in its Remote Support and Privileged Remote Access products that could be exploited by unauthenticated attackers to execute arbitrary operating system commands.
Click on any entity below to view its context and source!
organisation
BeyondTrust
Ravie Lakshmanan
Feb 09, 2026
Enterprise Security / Network Security
BeyondTrust has released updates to address a critical security flaw impacting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could result in remote code execution.
"Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user,"
BeyondTrust noted
.
organisation
Hacktron
Tracked as
CVE-2026-1731
, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by
Harsh Jaiswal and the Hacktron AI team
, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
organisation
CVE
"
The vulnerability, categorized as an
operating system command injection
, has been assigned the CVE identifier
CVE-2026-1731
.
organisation
CVE-2026
"
The vulnerability, categorized as an
operating system command injection
, has been assigned the CVE identifier
CVE-2026-1731
.
infrastructure
25.3.1
The issue affects the following versions -
Remote Support versions 25.3.1 and prior
Privileged Remote Access versions 24.3.4 and prior
It has been patched in the following versions -
Remote Support - Patch BT26-02-RS, 25.3.2 and
infrastructure
24.3.4
The issue affects the following versions -
Remote Support versions 25.3.1 and prior
Privileged Remote Access versions 24.3.4 and prior
It has been patched in the following versions -
Remote Support - Patch BT26-02-RS, 25.3.2 and
infrastructure
25.3.2
The issue affects the following versions -
Remote Support versions 25.3.1 and prior
Privileged Remote Access versions 24.3.4 and prior
It has been patched in the following versions -
Remote Support - Patch BT26-02-RS, 25.3.2 and
infrastructure
21.3
Those running a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 are also required to upgrade to a newer version to apply this patch.
infrastructure
22.1
Those running a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 are also required to upgrade to a newer version to apply this patch.
infrastructure
25.1.1
"Self-hosted customers of PRA may also upgrade to 25.1.1 or a newer version to remediate this vulnerability," it added.
organisation
PRA
BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA.
BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely.
organisation
CVSS
It's rated 9.9 on the CVSS scoring system.
organisation
RCE
BeyondTrust warns of critical RCE flaw in remote support software.
December 19
Threat actors exploited a remote support software vulnerability to gain unauthorized access.
Click on any entity below to view its context and source!
industry
Government
CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to
secure their networks within a week
.
vulnerability
CVE-2024-12356
CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to
secure their networks within a week
.
attribution
CISA
CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to
secure their networks within a week
.
attribution
Known Exploited
CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to
secure their networks within a week
.
tactic
T1588.006 - Vulnerabilities
CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19 and ordered U.S. government agencies to
secure their networks within a week
.
Tactical Metrics
Metrics
infrastructure
25.3.1
Software Version
Click for context!
The issue affects the following versions -
Remote Support versions 25.3.1 and prior
Privileged Remote Access versions 24.3.4 and prior
It has been patched in the following versions -
Remote Support - Patch BT26-02-RS, 25.3.2 and
Metrics
infrastructure
24.3.4
Software Version
The issue affects the following versions -
Remote Support versions 25.3.1 and prior
Privileged Remote Access versions 24.3.4 and prior
It has been patched in the following versions -
Remote Support - Patch BT26-02-RS, 25.3.2 and
Metrics
infrastructure
25.3.2
Software Version
The issue affects the following versions -
Remote Support versions 25.3.1 and prior
Privileged Remote Access versions 24.3.4 and prior
It has been patched in the following versions -
Remote Support - Patch BT26-02-RS, 25.3.2 and
"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven't enabled automatic updates.
Metrics
infrastructure
21.3
Software Version
Those running a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 are also required to upgrade to a newer version to apply this patch.
Metrics
infrastructure
22.1
Software Version
Those running a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 are also required to upgrade to a newer version to apply this patch.
Metrics
infrastructure
25.1.1
Software Version
"Self-hosted customers of PRA may also upgrade to 25.1.1 or a newer version to remediate this vulnerability," it added.
"Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
BeyondTrust has secured all RS/PRA cloud systems by February 2, 2026, and has advised all on-premises customers to patch their systems manually by upgrading to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later, if they haven't enabled automatic updates.
Metrics
victims
20,000
Customers
BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of Fortune 100 companies worldwide.
Intelligence Sources
The Hacker News
2026-02-09
BleepingComputer
2026-02-09
BeyondTrust warns of critical RCE flaw in remote support software
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:46
Comprehensive Tactical Telemetry
Highly Correlated Entities
20x
organisation
Identified Entity
BeyondTrust
entity
8x
timeline
Temporal Reference
Feb 09, 2026
date
6x
infrastructure
Software Version
25.3.1
version
3x
vulnerability
Exploited CVE
CVE-2026-1731
cve
3x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
tactic
Cyber Operation Type
Exfiltration
tactic
2x
attribution
Attributing Entity
CISA
authority
Contextual Telemetry
Context Block
11 METRICS
general metric
Feb
9
feb
general metric
Remote Bt26 Rs
2
remote bt26 rs
general metric
Entities
10
entities
general metric
Instances
11,000
instances
target region
Target Country
United States
country
source region
Origin Country
China
country
industry
Targeted Sector
Government
sector
general metric
Saas Instances
17
saas instances
victims
Customers
20,000
customers
general metric
Countries
100
countries
general metric
%
75
%
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.