The cybersecurity agency CISA has updated its Known Exploited Vulnerabilities (KEV) catalog entry for the BeyondTrust product flaw CVE-2026-1731 to inform organizations about its exploitation in ransomware attacks.
CVE-2026-1731 is a critical vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) that can be exploited for unauthenticated remote code execution.
In-the-wild exploitation of the vulnerability began within 24 hours of a PoC being made public on February 10.
CISA added the flaw to its KEV catalog on February 13 and instructed federal agencies to address it by February 16.
CISA does not notify users when KEV entries are updated to indicate ransomware exploitation. However, a tool released recently by threat intelligence firm GreyNoise flags such changes and it revealed late on Thursday that the KEV entry for CVE-2026-1731 has been updated to warn that it has been leveraged in ransomware campaigns.
There do not appear to be any public reports linking the exploitation of CVE-2026-1731 to specific ransomware groups.
However, the cybersecurity community has been seeing evidence of the flaw being in the crosshairs of ransomware gangs.
SecureCyber, which called it “pre-ransomware positioning”, reported a few days ago that it had been “tracking ransomware crews who are circling defense contractors and local governments again trying to take advantage of [CVE-2026-1731]”.
Palo Alto Networks on Thursday said it has seen an increase in attacks exploiting the BeyondTrust vulnerability.
The security firm has observed attackers conducting reconnaissance, stealing data, moving laterally, and deploying web shells, remote management tools, and backdoors.
Attacks have targeted organizations in the financial services, high-tech, healthcare, higher education, legal services, and retail sectors across the US, Canada, Australia, Germany, and France.
Palo Alto Networks has mentioned the delivery of malware such as SparkRAT and the VShell Linux backdoor, but has not mentioned any ransomware attacks.
Related: CISA: Hackers Exploiting Vulnerability in Product of Taiwan Security Firm TeamT5
Related: CISA Warns of Exploited SolarWinds, Notepad++, Microsoft Vulnerabilities
Related: Ivanti Exploitation Surges as Zero-Day Attacks Traced Back to July 2025
