Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr.
“Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors,” Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. “Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.”
The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests.
BeyondTrust noted last week that successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption.
It has been patched in the following versions –
- Remote Support – Patch BT26-02-RS, 25.3.2 and later
- Privileged Remote Access – Patch BT26-02-PRA, 25.1.1 and later
The use of CVE-2026-1731 demonstrates how quickly threat actors can weaponize new vulnerabilities, significantly shrinking the window for defenders to patch critical systems.
CISA Adds 4 Flaws to KEV Catalog
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows –
- CVE-2026-20700 (CVSS score: 7.8) – An improper restriction of operations within the bounds of a memory buffer vulnerability in Apple iOS, macOS, tvOS, watchOS, and visionOS that could allow an attacker with memory write capability to execute arbitrary code.
- CVE-2025-15556 (CVSS score: 7.7) – A download of code without an integrity check vulnerability in Notepad++ that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer and lead to arbitrary code execution with the privileges of the user.
- CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability in SolarWinds Web Help Desk that could allow an unauthenticated attacker to gain access to certain restricted functionality.
- CVE-2024-43468 (CVSS score: 9.8) – An SQL injection vulnerability in Microsoft Configuration Manager that could allow an unauthenticated attacker to execute commands on the server and/or underlying database by sending specially crafted requests.
It’s worth noting that CVE-2024-43468 was patched by Microsoft in October 2024 as part of its Patch Tuesday updates. It’s currently unclear how this vulnerability is being exploited in real-world attacks. Nor is there any information about the identity of the threat actors exploiting the flaw and the scale of such efforts.
The addition of CVE-2024-43468 to the KEV catalog follows a recent report from Microsoft about…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
