PRA versions 25.1 and greater are not affected by this vulnerability, however, versions older than those covered by the patches are impacted. Users on older versions will have to upgrade first before applying the patch.
The vulnerability, tracked as CVE-2026-1731, is rated 9.9 out of 10 on the CVSS scale and was discovered in January by security research company Hacktron AI.
The Hacktron team noted that around 11,000 instances of BeyondTrust Remote Support are currently exposed to the internet and estimated that around 8,500 of those are on-premises deployments that need patching. The SaaS deployments were patched sever-side already.
