BeyondTrust CVE-2026-1731: When Privileged Access Management Becomes the Attack Path

On February 10, 2026, a public proof-of-concept for BeyondTrust CVE-2026-1731 was released. Within 24 hours, threat actors were actively exploiting it. The vulnerability is a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access (PRA), rated CVSS 9.9. CISA added it to the Known Exploited Vulnerabilities catalogue on February 13, 2026. Ransomware groups followed.

BeyondTrust serves more than 20,000 customers, including 75 of the Fortune 100. The product line that was exploited is the one organizations use to grant external support technicians and privileged vendors access to their most sensitive systems.

CVE-2026-1731 is now a ransomware entry point.

What does CVE-2026-1731 mean for organizations using PAM for remote access?

The flaw affects Remote Support versions 25.3.1 and prior and Privileged Remote Access versions 24.3.4 and prior. The attack requires no authentication. A remote attacker sends a crafted request to the network-exposed WebSocket component and achieves code execution on the server. From that foothold, lateral movement into the network is straightforward.

BeyondTrust auto-patched its SaaS instances on February 2, 2026 and released fixed builds for self-hosted customers. Rapid7 published a technical advisory. A public PoC dropped within days. Ransomware operators had working exploits within 24 hours of the PoC.

The patch cycle and the exploitation timeline are now measured in the same unit: hours.

Why PAM tools carry a specific risk profile for remote access

PAM products are not standard remote access tools. They are the keyholders. BeyondTrust PRA manages privileged vendor and third-party access, which means the highest-trust sessions in the network, connecting external parties to the most sensitive internal systems.

When a pre-authentication RCE exists in the component that manages privileged access, the attacker does not just gain a foothold. The attacker lands directly in the privileged access layer, with the full connectivity that layer was built to provide.

This differs from a credential compromise or a phishing attack. No credentials are needed. The exploitation path runs through the product architecture itself.

The pattern across the remote access stack

CVE-2026-1731 did not arrive in isolation. Citrix CVE-2026-3055 (CitrixBleed 3) is a CVSS 9.3 unauthenticated memory overread in NetScaler ADC and Gateway, added to the CISA KEV catalogue on March 30, 2026 and confirmed under active exploitation. Microsoft's April 2026 Patch Tuesday delivered CVE-2026-26159, a privilege escalation to SYSTEM in the Remote Desktop Licensing Service affecting every supported Windows Server version from 2012 R2 through 2025. Shadowserver identified over 5,000 Ivanti Connect Secure instances vulnerable to CVE-2025-22457 in active April scanning, with a suspected China-nexus group already exploiting the flaw. In May 2026, Palo Alto Networks confirmed active exploitation of PAN-OS CVE-2026-0300 in the User-ID Authentication Portal, with CISA adding it to KEV on May 6 and a patch arriving only on May 13.

These are not isolated incidents. Remote access infrastructure, whether VPN concentrators, ZTNA brokers, PAM platforms, or RDP licensing services, runs software on networked devices. Software that processes authentication input on network-reachable devices will produce vulnerabilities in that processing. The past 18 months have produced a continuous stream of critical CVEs across every major software-defined remote access vendor.

The question for security architects is not which vendor has the faster patch cycle. It is whether the architecture that makes this class of CVE possible is the right one for the environments they protect.

What hardware isolation removes from the equation

Zeroport Fantom delivers hardware-enforced, non-IP remote access. The connection does not run over IP. There is no software authentication endpoint to send a crafted request to. There is no memory holding session tokens or authentication material that an unauthenticated attacker can read.

CVE-2026-1731 requires a reachable endpoint running software that processes authentication input. Zeroport's architecture removes that endpoint. The attack surface is not mitigated. It is absent.

For security architects evaluating privileged access management against the current threat environment, the question is whether the PAM layer itself needs to carry a CVSS 9.9 risk profile. Hardware-enforced isolation removes that risk class at the architectural level.

Book a live demo to see how Zeroport Fantom delivers hardware-enforced protection with no software attack surface at the network edge.

‍