A critical vulnerability in BeyondTrust Remote Support is facing a surge in reconnaissance activity in preparation for more targeted exploitation, according to security researchers.
The flaw, tracked as CVE-2026-1731, is an operating system command injection vulnerability that also impacts some older versions of the company’s Privileged Remote Access products.
If successfully exploited, an unauthenticated attacker can execute arbitrary commands on a server without any credentials or user interaction, researchers warn.
The flaw is a variant of the same vulnerability used by state-linked threat group Silk Typhoon against the U.S. Treasury Department, according to a blog post from GreyNoise. Hackers stole unclassified documents in the 2024 Treasury Department hack after gaining access to workstations.
BeyondTrust automatically patched cloud customers against the flaw. Self-hosted customers will need to apply upgrades, according to a blog post published Feb. 6.
A surge of reconnaissance activity began Wednesday, mostly linked to a single IP address connected to a commercial VPN hosted in Frankfurt, Germany, according to GreyNoise. The scanning began just a day after the release of a proof of concept.
Researchers at Defused also report a surge in probing activity but caution that any exploitation is limited.
Ryan Dewhurst, head of threat intelligence at watchTowr, noted the first in-the-wild exploitation of the BeyondTrust flaw in a Thursday post on X.
“Probes and exploitation attempts have been quite limited so far,” researchers at watchTowr told Cybersecurity Dive through a spokesperson. “However, we may see activity ramp up over the coming days.”
