.png)
It took less than 24 hours.
On February 10, a proof-of-concept exploit for CVE-2026-1731, a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access, was posted to GitHub. By February 11, GreyNoise’s Global Observation Grid was recording reconnaissance probing for vulnerable BeyondTrust instances.
What Is CVE-2026-1731?
CVE-2026-1731 is an OS command injection flaw (CVSS v4: 9.9) that lets an unauthenticated attacker execute arbitrary commands on a BeyondTrust Remote Support or Privileged Remote Access server. No credentials required. No user interaction needed. Low complexity to exploit.
It's a variant of CVE-2024-12356, the same vulnerability class that Chinese state-sponsored group Silk Typhoon used to breach the U.S. Treasury Department in late 2024. Same WebSocket endpoint, different code path.
BeyondTrust patched cloud customers automatically on February 2. Self-hosted customers need to update manually to RS v25.3.2+ or PRA v25.1.1+.
What GreyNoise Observed
Our global sensor network, a passive collection of sensors that observe and classify internet-wide scanning and reconnaissance activity, detected a clear surge beginning February 11, 2026. This is the reconnaissance phase; what comes next is predictable.
Four Things That Stand Out
1. One scanner dominates
A single IP accounts for 86% of all observed reconnaissance sessions so far. It's associated with a commercial VPN service hosted by a provider in Frankfurt and has been an active scanner in our data since 2023. This isn't a new actor; it's an established scanning operation that rapidly added CVE-2026-1731 checks to its toolkit.
2. They're not hitting port 443
Standard BeyondTrust deployments run on HTTPS (port 443), but few sessions target that port. The rest systematically probed clusters of non-standard ports, suggesting the attackers know that enterprises often move BeyondTrust to non-default ports for security-through-obscurity.
3. JA4+ fingerprints reveal shared tooling and VPN tunneling
GreyNoise captures JA4+ fingerprints on every session. At the TCP layer, 100% of sessions show Linux stack characteristics. The dominant scanner's TCP fingerprint has an MSS of 1358 (vs. the standard 1460), confirming VPN tunnel encapsulation at the network layer and independently validating the VPN association. At the HTTP layer, two distinct exploit tools are in use: one lightweight 5-header tool shared by the top 5 IPs (including all 4 classified as malicious), and a 7-header variant used by 10 different single-session scanners. Neither tool matches any known application in the JA4 fingerprint database. One session even shows a loopback MSS (65495), a distinctive operational artifact.
4. These are multi-exploit actors
The IPs performing reconnaissance for CVE-2026-1731 aren't single-purpose. While their BeyondTrust activity is a check (enumeration), their GreyNoise profiles show they're simultaneously conducting active exploitation attempts against other products: SonicWall, MOVEit Transfer, Log4j, Sophos firewalls, SSH brute-forcing, and IoT default-credential testing. Some IPs are even using out-of-band callback domains (OAST), a more sophisticated technique to confirm vulnerability before delivering payloads.
The BeyondTrust Pattern
BeyondTrust's remote access tools occupy a uniquely sensitive position. They're designed to manage privileged access to enterprise networks. When they're compromised, attackers don't just get a foothold; they get the keys to the castle.
Dec 2024 │ CVE-2024-12356 — Silk Typhoon breaches U.S. Treasury
│ via BeyondTrust zero-day (same WebSocket endpoint)
│
Jan 2026 │ GreyNoise sensors catch a malicious IP replaying the
│ exact Treasury breach exploit chain (CVE-2024-12356 +
│ CVE-2025-1094 SQLi)
│
Feb 2026 │ CVE-2026-1731 — Variant discovered by AI-assisted
│ analysis. PoC drops. Recon begins within 24 hours.
│
??? │ What comes next?
Before CVE-2026-1731 even existed, the old exploit chain was still in active use.
On January 5, we observed a Polish hosting provider running the same BeyondTrust RCE + PostgreSQL SQLi chain that Silk Typhoon used against the Treasury, all targeting the /nw WebSocket path on port 443. That IP shares a TLS fingerprint with the new CVE-2026-1731 scanners and also targets SimpleHelp, another remote support product. 26 days later, the new variant was discovered, and by February 11, a fresh set of actors had already begun mapping targets.
See It for Yourself in GreyNoise
GreyNoise customers can track this activity in real time:
- GNQL Query: cve:CVE-2026-1731
- Tag: BeyondTrust Remote Support Pre-Auth RCE CVE-2026-1731 Company Identifier Check
The tag was deployed on February 10 and is actively classifying new reconnaissance IPs as they appear. Customers get full IP context, JA4+ fingerprint analysis, behavioral profiling, timeline data, and the complete IOC list for blocking.
Not a GreyNoise customer? You can look up individual IPs against our dataset at viz.greynoise.io and see classification data for free.
The Bottom Line
CVE-2026-1731 follows a predictable but dangerous pattern: critical disclosure, rapid PoC, and immediate reconnaissance. The last time a BeyondTrust pre-auth RCE went unpatched, a nation-state actor exploited it to breach a U.S. government agency.
