BeyondTrust Remote Support and older versions of Privileged Remote Access contain a critical vulnerability that could allow attackers to gain access to systems without authentication. The vulnerability received a CVSSv4 score of 9.9 and could lead to complete system compromise.
The vulnerability affects Remote Support 25.3.1 and earlier versions, and Privileged Remote Access 24.3.4 and earlier versions. Attackers can execute operating system commands as a site user via specially crafted requests. Notably, no authentication or user interaction is required for successful exploitation.
BeyondTrust applied a patch on February 2, 2026, for all SaaS users of Remote Support and Privileged Remote Access. Self-hosted customers must apply the patch manually if they are not subscribed to automatic updates via the /appliance interface.
Successful exploitation could lead to system compromise, unauthorized access, data exfiltration, and service interruptions. The high CVSSv4 score of 9.9 underscores the severity of the vulnerability.
Patch management for different versions
Users of Remote Support older than version 21.3 or Privileged Remote Access older than 22.1 must first upgrade to a newer version before applying the patch. For Remote Support, patch BT26-02-RS is available. Version 25.3.2 and newer are also fully patched.
For Privileged Remote Access, BeyondTrust offers patch BT26-02-PRA. In addition, self-hosted PRA customers can upgrade to version 25.1.1 or newer to remedy the vulnerability. BeyondTrust’s Privileged Access Management solution provides organizations with centralized management of privileged access to critical systems.