BeyondTrust command injection is exactly the kind of remote-access risk SOCs cannot treat as routine

CVE-2026-1731 is now in CISA's Known Exploited Vulnerabilities catalogue as of 2026-02-13. The advisory deserves operational attention, not a sleepy calendar reminder.

The affected product is BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA describes the issue as BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability. In plainer terms: BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.

Remote access tooling is already an approved way through the wall. That is why compromise here is so useful.

Why it matters

Privileged access software is supposed to reduce risk. When it is exposed, the failure mode is ugly because the product is already wired into admin workflows.

This is where vulnerability management often falls over. Teams record the CVE, ask for a patch date, and move on. That works for low-value software. It does not work for systems that manage identity, remote access, endpoints, build pipelines, network policy, backups, observability, or customer-facing applications.

The better question is what an attacker gets after exploiting it. Shell access is bad. Access to a management console, token store, CI runner, or edge controller is worse because it can turn one bug into a path through the estate.

First checks

Treat the product as a credential and control-plane system. Check admin activity, command execution logs, session recordings, credential vault access, and any new integrations.

Ask four questions before closing the ticket:

• Is it deployed anywhere, including old lab, DR, MSP, and vendor-managed environments?
• Is any instance reachable from the internet or a broad internal network?
• Which accounts, tokens, certificates, or integrations does it hold?
• Can the logs show exploitation attempts, successful use, and post-exploitation changes?

If one of those answers is missing, record that as a gap. Do not bury it in the patch ticket. Future incident responders will not appreciate the archaeological dig.

Hunt notes

Start with the boring evidence:

• new or rare administrator logins
• access from unusual ASNs, VPN pools, jump hosts, or user subnets
• new users, API keys, service accounts, scheduled tasks, webhooks, connectors, or tunnels
• configuration exports, backup downloads, disabled logging, or policy edits
• unexpected child processes, shell commands, archive creation, or outbound callbacks
• user agents and API calls that do not match normal admin tooling

For internet-facing systems, keep the hunt window wider than the patch window. Public exploit activity often starts before the internal meeting invite appears. A shocking development, I know.

S6 view

This belongs in the same 2026 pattern as the other KEV additions: attackers keep aiming at control points. Firewalls, SD-WAN managers, endpoint consoles, remote access platforms, developer tools, and AI gateways all share the same problem. Other systems trust them.

This is the work that makes security feel boring. Good. Boring is usually what attackers hate most.

Sources

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
• https://nvd.nist.gov/vuln/detail/CVE-2026-1731