Threat actors are actively exploiting a critical security vulnerability impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, security researchers at watchTowr have reported. The flaw, identified as CVE-2026-1731, carries a critical CVSS score of 9.9 and could allow unauthenticated attackers to execute arbitrary operating system commands, leading to unauthorized access, data exfiltration, and system disruption.
Overnight observations from watchTowr’s global sensors confirmed the in-the-wild exploitation of BeyondTrust systems. Attackers are leveraging the ‘get_portal_info’ endpoint to extract the ‘x-ns-company’ value, a precursor to establishing a WebSocket channel for malicious activity. This rapid weaponization of a newly disclosed vulnerability highlights a shrinking window for defenders to implement crucial patches.
BeyondTrust Vulnerability Exploitation and Patches Issued
The critical vulnerability, CVE-2026-1731, enables unauthenticated remote attackers to execute operating system commands within the context of a site user. This poses a significant risk, potentially compromising sensitive data and disrupting essential services. BeyondTrust has acknowledged the severity of the flaw and has already released patches for affected products.
Remote Support versions are secured by patch BT26-02-RS, with remediation available in version 25.3.2 and later. For Privileged Remote Access, the fix is integrated into patch BT26-02-PRA, available in version 25.1.1 and newer. Organizations using these BeyondTrust solutions are urged to apply the provided patches immediately to mitigate the risk of exploitation.
CISA Adds Four Vulnerabilities to Known Exploited Vulnerabilities Catalog
Adding to the cybersecurity landscape, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently incorporated four new vulnerabilities into its Known Exploited Vulnerabilities (KEV) catalog. This inclusion signifies that evidence of active exploitation has been observed for these security flaws, necessitating urgent attention from federal agencies.
The newly added vulnerabilities include CVE-2026-20700 in Apple’s operating systems, which could allow arbitrary code execution. Another is CVE-2025-15556 affecting Notepad++, enabling attackers to intercept or redirect update traffic and execute malicious installers. CVE-2025-40536 in SolarWinds Web Help Desk allows unauthenticated access to restricted functionality. Lastly, CVE-2024-43468, an SQL injection vulnerability in Microsoft Configuration Manager, could enable attackers to execute commands through specially crafted requests.
Details on Exploited Vulnerabilities and Attacker Profiles
While Microsoft had previously patched CVE-2024-43468 in October 2024, its addition to the KEV catalog underscores ongoing exploitation. This follows a Microsoft report detailing multi-stage intrusions leveraging internet-exposed SolarWinds Web Help Desk (WHD) instances for initial access and lateral movement. However, it remains unclear if specific older vulnerabilities were exploited in these incidents.
Regarding Apple’s CVE-2026-20700, the company has indicated that highly sophisticated attacks against targeted individuals on older iOS versions may have occurred, potentially involving commercial spyware. The vulnerability was fixed earlier this week.
The exploitation of CVE-2025-15556 in Notepad++ has been attributed to Lotus Blossom, a China-linked state-sponsored threat actor known to be active since at least 2009. This campaign, discovered by Rapid7 and detailed by DomainTools Investigations (DTI), involved a supply chain attack that delivered a previously undocumented backdoor named Chrysalis. The compromise of the Notepad++ update pipeline is estimated to have lasted for nearly five months, from June to October 2025.
DTI described the incident as a “quiet, methodical intrusion” indicative of a covert intelligence-gathering mission. The attackers intentionally did not broadly distribute malicious code, instead selectively targeting specific organizations and individuals deemed strategically valuable. By compromising the update mechanism used by developers and administrators, they transformed routine maintenance into a covert entry point.
Remediation Deadlines for Federal Agencies
In response to the active exploitation of these vulnerabilities, CISA has established deadlines for Federal Civilian Executive Branch (FCEB) agencies to implement necessary mitigations. Agencies must address CVE-2025-40536 by February 15, 2026, and the remaining three vulnerabilities, including CVE-2024-43468, CVE-2026-20700, and CVE-2025-15556, by March 5, 2026. The ongoing exploitation of BeyondTrust products also necessitates prompt patching by all organizations utilizing these solutions.