BeyondTrust Vulnerability Exploited in Ransomware Attacks

The cybersecurity agency CISA has updated its Known Exploited Vulnerabilities (KEV) catalog entry for the BeyondTrust product flaw CVE-2026-1731 to inform organizations about its exploitation in ransomware attacks.

CVE-2026-1731 is a critical vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) that can be exploited for unauthenticated remote code execution.

In-the-wild exploitation of the vulnerability began within 24 hours of a PoC being made public on February 10.

CISA added the flaw to its KEV catalog on February 13 and instructed federal agencies to address it by February 16.

CISA does not notify users when KEV entries are updated to indicate ransomware exploitation. However, a tool released recently by threat intelligence firm GreyNoise flags such changes and it revealed late on Thursday that the KEV entry for CVE-2026-1731 has been updated to warn that it has been leveraged in ransomware campaigns.

There do not appear to be any ...