The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on Friday to secure their BeyondTrust Remote Support instances against an actively exploited vulnerability within three days.

BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including government agencies and 75% of Fortune 100 companies worldwide.

Tracked as CVE-2026-1731, this remote code execution vulnerability stems from an OS command injection weakness and affects BeyondTrust's Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.

While BeyondTrust patched all Remote Support and Privileged Remote Access SaaS instances on February 2, 2026, on-premise customers must install patches manually.

"Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user," BeyondTrust said when it patched the vulnerability on February 6. "Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."

Hacktron, who discovered the vulnerability and responsibly disclosed it to BeyondTrust on January 31, warned that approximately 11,000 BeyondTrust Remote Support instances were exposed online, around 8,500 of them being on-premises deployments.

On Thursday, six days after BeyondTrust released CVE-2026-1731 security patches, watchTowr head of threat intelligence Ryan Dewhurst reported that attackers are now actively exploiting the security flaw, warning admins that unpatched devices should be assumed to be compromised.

Federal agencies ordered to patch immediately

One day later, CISA confirmed Dewhurst's report, added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their BeyondTrust instances by the end of Monday, February 16, as mandated by Binding Operational Directive (BOD) 22-01.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the U.S. cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

CISA's warning comes on the heels of other BeyondTrust security flaws that were exploited to compromise the systems of U.S. government agencies.

For instance, the U.S. Treasury Department revealed two years ago that its network had been hacked in an incident linked to the Silk Typhoon,  a notorious Chinese state-backed cyberespionage group.

Silk Typhoon is believed to have exploited two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) to breach BeyondTrust's systems and later used a stolen API key to compromise 17 Remote Support SaaS instances, including the Treasury's instance.

The Chinese hacking group has also targeted the Office of Foreign Assets Control (OFAC), which administers U.S. sanctions programs, and the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks.