Identity, IAM Technologies, Vulnerability Management, Patch/Configuration Management, Threat Management, Threat Intelligence

Actively exploited BeyondTrust RCE bug exposes identity infrastructure

patch presented in the form of binary code

A previously patched bug in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products was actively exploited in the wild.

In a Feb. 12 post on X, Ryan Dewhurst, a watchTowr researcher, said his team observed a “first-in-the-wild” exploitation of BeyondTrust across its global sensors that same day.

The critical 9.9 bug — CVE-2026-1731 — was patched on Feb. 6. If left unprotected, it could let an unauthenticated attacker achieve remote code execution (RCE) by sending specially crafted requests.

Denis Calderone, principal and CTO at Suzu Labs, said when this one dropped, his team flagged it to thier clients immediately as a “stop-what-you’re-doing-and-patch situation.” A CVSS 9.9 unauthenticated remote code execution against a privileged access tool “is no joke,” said Calderone.  

Rapid7 publishes a proof-of-concept on Tuesday and by Wednesday attackers are already scanning for vulnerable instances,” said Calderone. “That turnaround should surprise no one at this point.”

Calderone explained that this vulnerability sits in the same endpoint as CVE-2024-12356, the flaw that Chinese state actors used to breach the U.S. Treasury in 2024: same WebSocket endpoint, different code path, according to GreyNoise.

“So the original patch didn’t fully close the door,” said Calderone. “Patch immediately if you haven’t already, and if your on-prem instances were exposed between Feb. 6 and now, assume compromise and investigate. Don’t wait for confirmation.”

Rajeev Raghunarayan, head of GTM at Averlon, added that remote access systems become high impact when compromised because they sit in the middle of identity and privilege flows: the real question is not just that a critical vulnerability exists, but what that compromised system gets permitted to access.

“In many environments, permissions have become the attack surface,” said Raghunarayan. “Identities accumulate access over time and are rarely reviewed. If a compromised tool can assume broad roles or traverse multiple environments, the blast radius expands far beyond the initial flaw. Patching closes the entry point. Governing permissions is what limits the damage.”

You can skip this ad in 5 seconds