Update: Arctic Wolf has observed suspected exploitation of CVE-2026-1731 and has published its findings in an updated security bulletin, available here.
On February 6, 2026, BeyondTrust released fixes for a critical vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE‑2026‑1731. This vulnerability allows unauthenticated remote threat actors to execute operating system commands in the context of the site user via specially crafted requests. BeyondTrust confirmed that cloud customers were patched automatically on February 2, 2026, requiring no further action, while self-hosted customers must manually apply the updates.
At the time of this writing, CVE‑2026‑1731 has not been observed being exploited in the wild, and Arctic Wolf has not identified a publicly available proof-of-concept. Due to the level of access this vulnerability provides, threat actors may attempt to reverse engineer the patches, especially since RS and PRA have been targeted in the past (as indicated by CISA’s Known Exploited Vulnerabilities Catalog).
Recommendation for CVE-2026-1731
Apply Fixes
Arctic Wolf strongly recommends that customers apply the fixes.
| Product | Affected Version | Fixed Version |
| Remote Support (RS) | 25.3.1 and prior | Patch BT26-02-RS (v21.3 – 25.3.1) |
| Privileged Remote Access (PRA) | 24.3.4 and prior |
Patch BT26-02-PRA (v22.1 – 24.X)
|
Note: Customers running self-hosted Remote Support (RS) versions older than 21.3 or Privileged Remote Access (PRA) versions older than 22.1 must upgrade to a newer version to apply this patch. BeyondTrust has applied the fix to all cloud RS and PRA instances as of February 2, 2026, requiring no further action from cloud customers.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
