INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
BeyondTrust Ransomware Exploit Flaw Used in Attacks
| 2026-02-20 23:46 CRITICAL HIGHExecutive Summary AI-generated
The U.S. Department of Health and Human Services has issued a critical alert warning healthcare and public health sector organizations to review and address the vulnerability in light of rising cyberattacks targeting those entities due to the exploitation of BeyondTrust Ransomware Hacks, which can give an attacker a foothold inside a corporate network if not patched promptly. The flaw affects software versions 25.3.1 or earlier for Remote Support and Privileged Remote Access products, with proof-of-concept exploits available shortly after its discovery on January 31. To mitigate the risk, organizations should install version 25.3.2 of Remote Support by February 20, while users are advised to switch to a newer software version (e.g., 25.1.1 or newer) for Privileged Remote Access products.
Technical Mitigations AI-generated
• Patch Application: Customers of the cloud-based application (SaaS) should apply the patch automatically on February 2, or manually install it via the '/appliance' interface.
• Version Upgrade: Privileged Remote Access users should switch to version 25.1.1 or newer, and those still at RS v21.3 and PRA v22.1 are recommended to upgrade before applying the patch.
• Automatic Updates: Customers of self-hosted instances need to enable automatic updates and verify that the patch was applied via the '/appliance' interface or manually install it.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-1731CVE-2026-1731
Target & Sectors
Global Scope
healthhealth
healthcarehealthcare
Incident Timeline
January 31
BeyondTrust updated its bulletin on January 31, exploiting CVE-2026-1731 to create a zero-day vulnerability that would remain active for at least one week.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-1731
On February 13, BeyondTrust updated the bulletin to say that exploitation had been detected on January 31, making CVE-2026-1731 a zero-day vulnerability for at least a week.
February 2
Threat actors exploited a vulnerability in BeyondTrust to gain unauthorized access and install ransomware on February 2.
February 6
BeyondTrust ransomware was initially disclosed by CVE-2026-1731 on February 6.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-1731
BeyondTrust
initially disclosed
CVE-2026-1731 on February 6.
Feb. 13
The U.S. Cybersecurity and Infrastructure Security Agency added the CVE-2026-1731 flaw to its catalog of known exploited vulnerabilities on February 13, giving federal agencies three days to fix it.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-1731
The U.S. Cybersecurity and Infrastructure Security Agency
added
the flaw, tracked as
CVE-2026-1731
on Feb. 13 to its catalog of known exploited vulnerabilities and gave federal agencies just three days to fix it.
February 13
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13, prompting federal agencies three days later to apply the patch or risk using BeyondTrust.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-1731
On February 13, BeyondTrust updated the bulletin to say that exploitation had been detected on January 31, making CVE-2026-1731 a zero-day vulnerability for at least a week.
attribution
KEV
CISA added it to the Known Exploited Vulnerabilities (KEV) catalog
on February 13
and gave federal agencies just three days to apply the patch or stop using the product.
attribution
CISA
CISA added it to the Known Exploited Vulnerabilities (KEV) catalog
on February 13
and gave federal agencies just three days to apply the patch or stop using the product.
attribution
the Known Exploited
CISA added it to the Known Exploited Vulnerabilities (KEV) catalog
on February 13
and gave federal agencies just three days to apply the patch or stop using the product.
tactic
T1588.006 - Vulnerabilities
CISA added it to the Known Exploited Vulnerabilities (KEV) catalog
on February 13
and gave federal agencies just three days to apply the patch or stop using the product.
2026-02-20
Hackers are actively exploiting the CVE-2026-1731 vulnerability in BeyondTrust Remote Support products.
Click on any entity below to view its context and source!
organisation
The U.S. Department of Health and Human Services
The U.S. Department of Health and Human Services in an alert Thursday warned healthcare and public health sector organizations to review and address the vulnerability in light of rising cyberattacks targeting those entities.
organisation
BeyondTrust RCE
BeyondTrust RCE flaw now exploited in ransomware attacks.
organisation
PoC
Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after, and
in-the-wild exploitation
started almost immediately.
organisation
CVE-2026
Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after, and
in-the-wild exploitation
started almost immediately.
organisation
BeyondTrust
The security issue affects BeyondTrust's Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier, and can be exploited for remote code execution.
infrastructure
25.3.2
For Remote Support, the recommendation is to install version 25.3.2.
infrastructure
25.1.1
Privileged Remote Access users should switch to version 25.1.1 or newer.
organisation
Remote Access
Privileged Remote Access users should switch to version 25.1.1 or newer.
organisation
RS v21.3
Those still at RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.
organisation
PRA v22.1
Those still at RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.
organisation
Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation
Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
Tactical Metrics
Metrics
infrastructure
25.3.2
Software Version
Click for context!
For Remote Support, the recommendation is to install version 25.3.2.
Metrics
infrastructure
25.1.1
Software Version
Privileged Remote Access users should switch to version 25.1.1 or newer.
Intelligence Sources
Data Breaches
2026-02-20
Hospitals at Risk of BeyondTrust Ransomware Hacks
Data Breaches
BleepingComputer
2026-02-20
CISA: BeyondTrust RCE flaw now exploited in ransomware attacks
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:07
Comprehensive Tactical Telemetry
Highly Correlated Entities
10x
organisation
Identified Entity
The U.S. Department of Health and Human Services
entity
7x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
6x
timeline
Temporal Reference
Feb. 13
date
2x
industry
Targeted Sector
Health
sector
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
infrastructure
Software Version
25.3.2
version
Contextual Telemetry
Context Block
2 METRICS
vulnerability
Exploited CVE
CVE-2026-1731
cve
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.