A critical remote code execution vulnerability, now under active attack, forces an emergency three-day remediation window as researchers warn thousands of exposed instances remain unpatched

Continue reading
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive mandating that all Federal Civilian Executive Branch (FCEB) agencies secure their BeyondTrust instances against a critical, actively exploited vulnerability by the end of today, February 16, 2026. The Binding Operational Directive (BOD) 22-01 action comes just one day after threat intelligence firm watchTowr confirmed that attackers had begun weaponizing the flaw in the wild.
At the center of the directive is CVE-2026-1731, a severe OS command injection vulnerability residing in BeyondTrust’s Remote Support and Privileged Remote Access software. The flaw allows an unauthenticated, remote attacker to execute arbitrary operating system commands on the affected host without requiring any user interaction.
BeyondTrust, which counts 75% of the Fortune 100 and numerous government agencies among its clients, initially patched all SaaS instances of the affected products on February 2. However, the company released patches for on-premise customers on February 6, warning that successful exploitation _"may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."_ The vulnerability impacts Remote Support version 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
The timeline of events underscores the escalating threat. The vulnerability was responsibly disclosed to BeyondTrust by a researcher known as Hacktron on January 31. Just over two weeks later, on February 15, watchTowr’s head of threat intelligence, Ryan Dewhurst, reported active exploitation of the flaw and issued a stark warning to administrators that unpatched devices should be assumed compromised.
This alert triggered CISA’s swift action. By adding the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, the agency signaled that it is no longer a theoretical risk but an active attack vector. CISA’s warning emphasized that such vulnerabilities are _"frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."_
The urgency of the directive is amplified by the attack surface. Hacktron’s initial research identified approximately 11,000 BeyondTrust Remote Support instances exposed online, with the vast majority—roughly 8,500—being on-premise deployments. This distinction is critical: while SaaS customers were secured automatically weeks ago, on-premise installations require manual intervention, leaving a substantial number of high-value targets potentially vulnerable if patches have not been applied.
This incident carries the weight of recent history. CISA’s warning comes on the heels of previous BeyondTrust security failures that directly impacted U.S. national security. Two years ago, the U.S. Treasury Department disclosed a significant breach linked to Silk Typhoon, a notorious Chinese state-backed cyberespionage group.
In that incident, Silk Typhoon exploited two zero-day vulnerabilities CVE-2024-12356 and CVE-2024-12686 to compromise BeyondTrust’s systems. Using a stolen API key, the group went on to breach 17 Remote Support SaaS instances, including that of the Treasury itself. The attack also compromised the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS), highlighting the profound national security risks tied to identity security infrastructure.
While CISA’s mandate applies directly to federal agencies, the directive serves as a clear warning to the private sector. Given the active exploitation and the historical interest from sophisticated state-sponsored groups, organizations using affected on-premise versions of BeyondTrust Remote Support or Privileged Remote Access are operating under a significant risk assumption. With the three-day federal deadline expiring today, the expectation from the cybersecurity community is clear: any unpatched instance should be treated as a critical priority for immediate remediation.

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams