93/69 Monday, February 16, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the BeyondTrust vulnerability CVE-2026-1731 (CVSS 9.9) to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence of active exploitation. The flaw is an OS Command Injection vulnerability affecting certain versions of BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products. It allows unauthenticated attackers to execute arbitrary commands remotely without requiring authentication or user interaction, potentially leading to full system compromise and data theft.
Concerns escalated after a proof-of-concept (PoC) exploit was published on GitHub on February 10, 2026. According to GreyNoise, scanning activity targeting vulnerable systems surged within 24 hours of the PoC release. A single IP address accounted for approximately 86% of all observed scanning activity, primarily probing non-standard ports, as many organizations move services away from port 443 for security reasons. It is estimated that around 11,000 internet-exposed instances exist, including approximately 8,500 on-premises deployments-many belonging to large organizations in the financial, healthcare, and government sectors.
CISA has directed U.S. federal agencies to remediate the vulnerability by February 16, 2026, in accordance with Binding Operational Directive (BOD) 22-01. Security experts noted that the vulnerability is a variant related to a previously exploited flaw. Organizations are strongly advised to upgrade immediately to Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later. Cloud-based customers were automatically patched as of February 2.
