Privileged Remote Access
Monthly
Denial-of-service in BeyondTrust Remote Support and Privileged Remote Access appliances lets an unauthenticated remote attacker exhaust or crash the network communication subsystem, taking the appliance offline. The flaw is pre-authentication and network-reachable (CVSS 4.0 8.7, availability-only impact), but affects availability only - no confidentiality or integrity loss. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthenticated remote attacker defeat access controls in the appliance's authentication subsystem and log in as arbitrary accounts, including highly privileged ones. Rated CVSS 4.0 9.2 (critical) and tracked as CWE-287 (Improper Authentication), the flaw is pre-authentication and network-reachable but is gated by a specific authentication configuration being enabled, reflected in the vector's Attack Requirements (AT:P). No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a network-positioned attacker abuse improper authentication-data validation to reach the appliance and take over accounts, including privileged ones. Exploitation only works when a specific authentication configuration is enabled, and success requires overcoming meaningful attack conditions (CVSS 4.0 AC:H/AT:P). No public exploit has been identified at time of analysis and it is not on CISA KEV, but the pre-auth nature and privileged-access role of these appliances make it high-priority for internet-exposed deployments.
BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) that allows unauthenticated attackers to execute OS commands through specially crafted requests. With EPSS 66% and KEV listing with public PoC, this vulnerability is devastating because these products are specifically designed for privileged remote access — compromising them grants attackers access to the most sensitive systems in an organization.
Server-Side Template Injection (SSTI) vulnerability in the chat feature of Citrix Remote Support (RS) and Privileged Remote Access (PRA) that enables unauthenticated remote code execution with a critical CVSS score of 9.8. The vulnerability affects the chat messaging functionality across both products with no authentication or user interaction required, allowing attackers to execute arbitrary code on affected systems. This is a critical severity issue requiring immediate patching.
BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
BeyondTrust Privileged Remote Access (PRA) versions 22.2.x to 22.4.x are vulnerable to a local authentication bypass. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 23.2.1 and 23.2.2 contain a command injection vulnerability which can be exploited through a malicious HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial-of-service in BeyondTrust Remote Support and Privileged Remote Access appliances lets an unauthenticated remote attacker exhaust or crash the network communication subsystem, taking the appliance offline. The flaw is pre-authentication and network-reachable (CVSS 4.0 8.7, availability-only impact), but affects availability only - no confidentiality or integrity loss. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthenticated remote attacker defeat access controls in the appliance's authentication subsystem and log in as arbitrary accounts, including highly privileged ones. Rated CVSS 4.0 9.2 (critical) and tracked as CWE-287 (Improper Authentication), the flaw is pre-authentication and network-reachable but is gated by a specific authentication configuration being enabled, reflected in the vector's Attack Requirements (AT:P). No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a network-positioned attacker abuse improper authentication-data validation to reach the appliance and take over accounts, including privileged ones. Exploitation only works when a specific authentication configuration is enabled, and success requires overcoming meaningful attack conditions (CVSS 4.0 AC:H/AT:P). No public exploit has been identified at time of analysis and it is not on CISA KEV, but the pre-auth nature and privileged-access role of these appliances make it high-priority for internet-exposed deployments.
BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) that allows unauthenticated attackers to execute OS commands through specially crafted requests. With EPSS 66% and KEV listing with public PoC, this vulnerability is devastating because these products are specifically designed for privileged remote access — compromising them grants attackers access to the most sensitive systems in an organization.
Server-Side Template Injection (SSTI) vulnerability in the chat feature of Citrix Remote Support (RS) and Privileged Remote Access (PRA) that enables unauthenticated remote code execution with a critical CVSS score of 9.8. The vulnerability affects the chat messaging functionality across both products with no authentication or user interaction required, allowing attackers to execute arbitrary code on affected systems. This is a critical severity issue requiring immediate patching.
BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
BeyondTrust Privileged Remote Access (PRA) versions 22.2.x to 22.4.x are vulnerable to a local authentication bypass. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 23.2.1 and 23.2.2 contain a command injection vulnerability which can be exploited through a malicious HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.