The Department of Health and Human Services (HHS) encourages Healthcare and Public Health (HPH) sector organizations to review and address a critical vulnerability identified in BeyondTrust Remote Support and Privileged Remote Access solutions in light of rising cyber attacks affecting the sector.
BeyondTrust published Security Advisory BT26-02 regarding a critical pre-authentication remote code execution vulnerability, identified as CVE-2026-1731, affecting Remote Support and older versions of Privileged Remote Access. The vulnerability carries a CVSSv4 score of 9.9 and may be triggered through specially crafted client requests, potentially allowing an unauthenticated remote attacker to execute operating system commands in the context of the site user.
The vulnerability affects Remote Support version 25.3.1 and prior and Privileged Remote Access version 24.3.4 and prior, with remediation available through specific patches or by upgrading to fixed versions. BeyondTrust issued patches on February 2, 2026, which were automatically deployed to instances with the update service enabled and fully applied to Software as a Service environments. BeyondTrust applied patches to all SaaS customers as of February 2, 2026, and instructed self-hosted customers to manually apply updates or upgrade to supported versions where necessary. For additional information, organizations are encouraged to review the BeyondTrust Security Advisory.