CVE-2026-1731: BeyondTrust Remote Support and Privileged Remote Access Pre-Auth RCE

BeyondTrust disclosed CVE-2026-1731, a critical (CVSS 9.9) unauthenticated OS command injection in Remote Support and affected Privileged Remote Access versions; a PoC appeared within days, widespread scanning and exploitation were observed, and Arctic Wolf reported active compromises with lateral movement. The report documents attacker reconnaissance and exploitation patterns (including use of SimpleHelp binaries, created domain accounts with elevated privileges, PSexec and Impacket activity), highlights a large attack surface (~11,000 exposed instances, many on-premises), links the vulnerability to prior Silk Typhoon activity against the same WebSocket endpoint, and urges immediate patching, investigation for indicators of compromise, and network access controls for privileged access tools.