Hackers are actively exploiting the CVE-2026-1731 vulnerability in the BeyondTrust Remote Support product, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns.

The security issue affects BeyondTrust's Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier, and can be exploited for remote code execution.

CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies just three days to apply the patch or stop using the product.

BeyondTrust initially disclosed CVE-2026-1731 on February 6. The security advisory classified it as a pre-authentication remote code execution vulnerability caused by an OS command injection weakness, exploitable via specially crafted client requests sent to vulnerable endpoints.

Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after, and in-the-wild exploitation started almost immediately.

On February 13, BeyondTrust updated the bulletin  to say that exploitation had been detected on January 31, making CVE-2026-1731 a zero-day vulnerability for at least a week.

BeyondTrust states that the report from researcher Harsh Jaiswal and the Hacktron AI team confirmed the anomalous activity that they detected on a single Remote Support appliance at the time.

CISA has now activated the ‘Known To Be Used in Ransomware Campaigns?’ indicator in the KEV catalog.

For customers of the cloud-based application (SaaS), the vendor states the patch was applied automatically on February 2, so no manual intervention is needed.

Customers of the self-hosted instances need to either enable automatic updates and verify that the patch was applied via the '/appliance' interface or manually install it.

For Remote Support, the recommendation is to install version 25.3.2. Privileged Remote Access users should switch to version 25.1.1 or newer.

Those still at RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.