The Cybersecurity and Infrastructure Security Agency (CISA) on Feb. 19 updated its entry to CISA’s Known Exploited Vulnerabilities (KEV) catalog for a previously patched BeyondTrust bug that’s now being exploited in ransomware attacks. This was the same day Unit 42 researchers at Palo Alto Networks warned that they had seen an increase in attacks exploiting the BeyondTrust flaw.SC Media reported on Feb. 13 that the critical CVSS 9.9 bug — CVE-2026-1731 — was patched on Feb. 6. If left unpatched, the vulnerability could let an unauthenticated attacker achieve remote code execution (RCE) by sending specially-crafted requests.Now that it's confirmed by CISA that CVE-2026-1731 has been exploited in ransomware attacks, security experts say teams need to patch right away.“When CISA updates a KEV entry because ransomware actors are actively exploiting a flaw, that’s the moment it shifts from vulnerability management to incident response,” said Douglas McKee, director of vulnerability intelligence at Rapid7. "This BeyondTrust issue affects identity and privileged access infrastructure, and that’s what makes it particularly dangerous. We are not talking about a low-value edge device. We are talking about a system that often has deep trust relationships and elevated permissions across the environment.”McKee pointed out that if attackers can gain RCE across an organization’s environment, they potentially inherit the keys to the kingdom. At that point, McKee said ransomware deployment “becomes a matter of timing, not capability.”John Bambenek, president at Bambenek Consulting, added that if it’s not possible to patch immediately, take the BeyondTrust portal offline until the team can patch it, or at least restrict access to the appliance portal to internal IP addresses only.“Additionally, WAF appliances can inspect (or block) traffic to the portal’s /nw endpoint and/or filter inappropriate bash commands in WebSocket calls,” said Bambenek.
Vulnerability Management, Patch/Configuration Management, Ransomware
CISA update: BeyondTrust RCE exploited in ransomware attacks

(Credit: monticellllo – stock.adobe.com)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



