As an Assured Cyber Incident Response provider, we are sharing the NCSC’s guidance on vulnerability CVE-2026-1731 to help organisations understand the potential risk and take any necessary action. we recommend reviewing the advice carefully. See NCSC advice below:
The NCSC are directly aware of the attempted and successful exploitation of CVE-2026-1731.
The NCSC advises organisations to ensure remedial action has been taken to mitigate vulnerability CVE-2026-1731 affecting BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA).
The following product versions are known to be vulnerable:
- BeyondTrust Remote Support 25.3.1 and prior
- BeyondTrust Privileged Remote Access 24.3.4 and prior
What has happened?
BeyondTrust Remote Support and older versions of Privileged Remote Access contain a critical pre-authentication remote code execution vulnerability that may be triggered through specially crafted client requests. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user and may lead to system compromise, including unauthorised access, data exfiltration, and service disruption. The vendor published an advisory and software updates to mitigate the vulnerability.
Exploitation
The vendor is aware of active exploitation against a limited number of self-hosted customers. Observed exploitation activity has been limited to internet-facing, self-hosted environments where the update had not been applied before 9th February 2026.
What Should I Do?
The vendor has already taken steps to address this vulnerability and notify customers as detailed in the advisory.
The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case, if you use an affected product, you should take these priority actions:
1. Fully investigate for evidence of compromise using an assured Cyber Incident Response provider. If you are unable to do this, you should fully rebuild the device.
2. If you believe you have been compromised and are in the UK, you should report it.
3. If the BeyondTrust update service is enabled, you should verify the updates were installed successfully.
4. For self-hosted installations, due to the period of exposure, rebuilding the device before installing the latest version is advised.
5. Apply any appropriate security hardening.
6. Perform continuous threat hunting activities.
Further Resources
NCSC resources to help secure systems:
- Find an assured Cyber Incident Response provider.
- Follow NCSC guidance including vulnerability management and preventing lateral movement.
- If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.
- The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.
If you think your organisation may be affected, or you would like support understanding your exposure and next steps, please get in touch for a no-obligation chat with our team. We are here to help you assess the situation and respond appropriately.
