Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability

Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability

Briefly

""Overnight we observed first in-the-wild exploitation of BeyondTrust across our global sensors," Ryan Dewhurst, head of threat intelligence at watchTowr, said in a post on X. "Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel." The vulnerability in question is CVE-2026-1731 (CVS score: 9.9), which could allow an unauthenticated attacker to achieve remote code execution by sending specially crafted requests."

"BeyondTrust noted last week that successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption. It has been patched in the following versions - Remote Support - Patch BT26-02-RS, 25.3.2 and later Privileged Remote Access - Patch BT26-02-PRA, 25.1.1 and later"

"The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities ( KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2026-20700 (CVSS score: 7.8) - An improper restriction of operations within the bounds of a memory buffer vulnerability in Apple iOS, macOS, tvOS, watchOS, and visionOS that could allow an attacker with memory write capability to execute arbitrary code."