好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得通读整篇文章,抓住主要信息。 文章讲的是美国CISA将BeyondTrust RS和PRA的一个漏洞加入已知被利用的漏洞目录。这个漏洞的CVE编号是CVE-2026-1731,CVSS评分9.9,属于严重级别。攻击者无需认证就能远程执行系统命令,可能导致系统完全被控制、数据泄露和服务中断。 BeyondTrust在2月6日发布了安全更新修复这个漏洞。Hacktron的研究人员发现大约有11,000个实例暴露在网络上,其中8,500个是在内部环境中的,可能还未修复。威胁行为者在PoC公开后迅速开始利用这个漏洞,GreyNoise检测到攻击尝试。 CISA要求联邦机构在2月16日前修复这个漏洞,并建议私营组织也采取行动。 现在我要把这些信息浓缩到100字以内。重点包括:CISA添加了哪个漏洞到目录中,漏洞的严重性(CVSS 9.9),攻击者无需认证就能远程执行命令,可能导致的后果,修复时间以及CISA的要求。 所以总结起来应该是:美国CISA将BeyondTrust RS和PRA的严重漏洞CVE-2026-1731加入已知被利用目录。该漏洞允许攻击者无需认证远程执行系统命令,可能导致系统完全控制、数据泄露和服务中断。BeyondTrust已在2月6日发布补丁修复此漏洞,并要求联邦机构在2月16日前完成修复。 </think> 美国网络安全和基础设施安全局(CISA)将BeyondTrust RS和PRA中的严重漏洞CVE-2026-1731(CVSS评分9.9)加入已知被利用的漏洞目录。该漏洞允许未经身份验证的攻击者发送特殊请求并远程执行操作系统命令,可能导致系统完全控制、数据泄露和服务中断。BeyondTrust已于2月6日发布补丁修复此漏洞,并要求联邦机构在2月16日前完成修复以防止滥用。 2026-2-14 15:54:34 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
U.S. CISA adds a flaw in BeyondTrust RS and PRA to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
February 14, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in BeyondTrust RS and PRA to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an BeyondTrust RS and PRA vulnerability, tracked as CVE-2026-1731 (CVSS score of 9.9), to its Known Exploited Vulnerabilities (KEV) catalog.
This week BeyondTrust released security updates to address the critical flaw in its Remote Support and older Privileged Remote Access products. The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in. The issue, disclosed on February 6, 2026, could lead to full remote code execution if exploited, making the updates essential to prevent abuse.
“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability.” reads the advisory. “By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”
Exploiting the flaw would let a remote attacker run system commands without authentication or user interaction, potentially leading to full system compromise, data theft, and service disruption.
”Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user.” continues the advisory. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”
BeyondTrust released patches for CVE-2026-1731 on February 6 after Hacktron researchers warned that about thousands of instances were exposed online.
Hacktron AI team reported that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments. Around 8,500 of these are on-prem systems and could remain vulnerable if not patched. Large organizations, including enterprises in the healthcare, financial services, government, and hospitality sectors, primarily use affected deployments.
Threat actors rapidly began exploiting a newly patched BeyondTrust vulnerability, tracked as CVE-2026-1731 (CVSS score of 9.9), soon after a proof-of-concept exploit became public.
After a PoC exploit went public on February 10, GreyNoise detected attack attempts within 24 hours, with one IP responsible for most reconnaissance activity.
“On February 10, a proof-of-concept exploit for CVE-2026-1731, a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access, was posted to GitHub. By February 11, GreyNoise’s Global Observation Grid was recording reconnaissance probing for vulnerable BeyondTrust instances.” reported GreyNoise.
GreyNoise observed rapid reconnaissance for CVE-2026-1731, led by a single IP responsible for 86% of scans. The activity comes from a long-running scanning operation using a commercial VPN and Linux-based tooling. Threat actors mainly probe non-standard ports, suggesting they know enterprises move BeyondTrust services off 443. JA4+ fingerprints show shared exploit tools and VPN tunneling.
The same IPs also target SonicWall, MOVEit, Log4j, Sophos, SSH, and IoT devices, showing multi-exploit behavior. BeyondTrust tools are high-value targets, and past zero-day chains remain active even as new variants quickly emerge.
“The IPs performing reconnaissance for CVE-2026-1731 aren’t single-purpose. While their BeyondTrust activity is a check (enumeration), their GreyNoise profiles show they’re simultaneously conducting active exploitation attempts against other products: SonicWall, MOVEit Transfer, Log4j, Sophos firewalls, SSH brute-forcing, and IoT default-credential testing.” concludes the report. “Some IPs are even using out-of-band callback domains (OAST), a more sophisticated technique to confirm vulnerability before delivering payloads.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by February 16, 2026.
US CISA also published an alert related to this flaw titled “Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
如有侵权请联系:admin#unsafe.sh