Threat actors began targeting a recently patched BeyondTrust vulnerability shortly after a proof-of-concept (PoC) exploit was released.
The critical flaw is tracked as CVE-2026-1731 and it affects BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The vulnerability can be exploited for unauthenticated remote code execution using specially crafted requests.
BeyondTrust announced patches for CVE-2026-1731 on February 6, the same day Hacktron AI, whose researchers discovered the issue in late January, warned that roughly 11,000 instances had been exposed to the internet, including approximately 8,500 on-prem deployments that may have been vulnerable to attacks.
“Given that BeyondTrust Remote Support and Privileged Remote Access are widely deployed in enterprise environments for remote access and privileged session management, the potential blast radius of this vulnerability is significant,” Hacktron said.
A PoC exploit for CVE-2026-1731 was made public on February 10 and threat intelligence firm GreyNoise started seeing attack attempts within 24 hours.
The security company has observed attacks originating from multiple IP addresses, but one IP accounts for 86% of reconnaissance activity.
“[The IP is] associated with a commercial VPN service hosted by a provider in Frankfurt and has been an active scanner in our data since 2023,” GreyNoise explained. “This isn’t a new actor; it’s an established scanning operation that rapidly added CVE-2026-1731 checks to its toolkit.”
GreyNoise also pointed out that some of the IPs targeting CVE-2026-1731 were previously observed attempting to exploit vulnerabilities in SonicWall, MOVEit, Apache, and Sophos products, and they also tried to access systems using brute force and default credentials.
WatchTowr and Defused have confirmed in-the-wild exploitation attempts of CVE-2026-1731.
Threat actors, including state-sponsored groups, have been known to exploit BeyondTrust product vulnerabilities in their attacks. The China-linked Silk Typhoon reportedly exploited a vulnerability in late 2024 to target the US Department of the Treasury.
GreyNoise reported on Thursday that the vulnerability whose exploitation was first observed in 2024 was still being targeted by malicious hackers up until at least January 2026.
Related: Code Execution Vulnerabilities Patched in Veeam, BeyondTrust Products
Related: Rapid7 Flags New PostgreSQL Zero-Day Connected to BeyondTrust Exploitation
