BeyondTrust has disclosed a critical pre-authentication remote code execution vulnerability in its Remote Support and Privileged Remote Access products, tracked as CVE-2026-1731 with a near-maximum CVSSv4 score of 9.9 out of 10. The flaw allows unauthenticated attackers to execute arbitrary operating system commands by sending specially crafted client requests, requiring no user interaction and posing a low-complexity attack vector. Security researchers have identified approximately 11,000 internet-facing instances of the affected software, with roughly 8,500 on-premises deployments potentially at risk if patches have not been applied.

The vulnerability stems from an OS command injection weakness classified as CWE-78, which occurs when the application fails to properly neutralize special elements used in OS commands. An attacker exploiting this flaw can execute commands in the context of the site user, potentially enabling unauthorized access to sensitive systems, lateral movement across networks, and exfiltration of critical data. BeyondTrust Remote Support versions 25.3.1 and earlier, along with Privileged Remote Access versions 24.3.4 and earlier, are affected.

The flaw was discovered on January 31, 2026, by security researcher Harsh Jaiswal and the Hacktron AI team through AI-enabled variant analysis, making it one of the first high-profile critical vulnerabilities identified primarily through artificial intelligence-assisted research methods. BeyondTrust published its advisory under identifier BT26-02 on February 6 and automatically patched all cloud and SaaS customer instances by February 2. Self-hosted customers must manually upgrade to Remote Support version 25.3.2 or later, or Privileged Remote Access version 25.1.1 or later.

While no active exploitation of CVE-2026-1731 has been confirmed so far, the urgency to patch is heightened by BeyondTrust's recent security history. In late 2024, two zero-day vulnerabilities in these same products, tracked as CVE-2024-12356 and CVE-2024-12686, were weaponized by the Chinese state-sponsored threat actor Silk Typhoon to breach systems at the United States Department of the Treasury. That incident demonstrated that attackers closely monitor BeyondTrust disclosures and can rapidly develop exploits for newly discovered flaws in remote access tools.

Organizations running on-premises BeyondTrust Remote Support or Privileged Remote Access deployments are strongly urged to apply the patches immediately. Those unable to update should restrict network access to the management interface, monitor logs for anomalous client requests, and implement network segmentation to limit potential blast radius. Given the trivial exploitability, the lack of authentication requirements, and the high-value nature of remote access infrastructure, security teams should treat this vulnerability as a top-priority remediation item.