Vulnerability Management, Patch/Configuration Management, Ransomware

CISA update: BeyondTrust RCE exploited in ransomware attacks

(Credit: monticellllo – stock.adobe.com)

The Cybersecurity and Infrastructure Security Agency (CISA) on Feb. 19 updated its entry to CISA’s Known Exploited Vulnerabilities (KEV) catalog for a previously patched BeyondTrust bug that’s now being exploited in ransomware attacks. 

This was the same day Unit 42 researchers at Palo Alto Networks warned that they had seen an increase in attacks exploiting the BeyondTrust flaw.

SC Media reported on Feb. 13 that the critical CVSS 9.9 bug — CVE-2026-1731 — was patched on Feb. 6. If left unpatched, the vulnerability could let an unauthenticated attacker achieve remote code execution (RCE) by sending specially-crafted requests.

Now that it's confirmed by CISA that CVE-2026-1731 has been exploited in ransomware attacks, security experts say teams need to patch right away.

“When CISA updates a KEV entry because ransomware actors are actively exploiting a flaw, that’s the moment it shifts from vulnerability management to incident response,” said Douglas McKee, director of vulnerability intelligence at Rapid7. "This BeyondTrust issue affects identity and privileged access infrastructure, and that’s what makes it particularly dangerous. We are not talking about a low-value edge device. We are talking about a system that often has deep trust relationships and elevated permissions across the environment.”

McKee pointed out that if attackers can gain RCE across an organization’s environment, they potentially inherit the keys to the kingdom. At that point, McKee said ransomware deployment “becomes a matter of timing, not capability.”

John Bambenek, president at Bambenek Consulting, added that if it’s not possible to patch immediately, take the BeyondTrust portal offline until the team can patch it, or at least restrict access to the appliance portal to internal IP addresses only.

“Additionally, WAF appliances can inspect (or block) traffic to the portal’s /nw endpoint and/or filter inappropriate bash commands in WebSocket calls,” said Bambenek.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds