Number: AL26-003
Date: February 16, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of a high-severity vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)Footnote 1. BeyondTrust Remote Support is an enterprise-level, security-focused remote assistance solution that enables IT teams to access and control systems and devices remotely to help provide technical support. In response to the vendor advisory released on February 6, 2026, the Cyber Centre issued AV26-097Footnote 2 on February 9, 2026.
Tracked as CVE-2026-1731Footnote 3, this vulnerability is a critical pre-authentication remote code execution vulnerability and allows an unauthenticated remote attacker to execute Operating System commands (CWE-78)Footnote 4 in the context of the site user and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.
The Cyber Centre has observed open-source reporting indicating that the vulnerability is being exploited in the wildFootnote 5.
Suggested actions
The Cyber Centre recommends that organizations upgrade affected BeyondTrust instances to a fixed version:
| Affected product | Affected versions | Fixed version |
|---|---|---|
| Remote Support | 25.3.1 and prior | Patch BT26-02-RS (v21.3 - 25.3.1) |
| Remote Support | 25.3.1 and prior | 25.3.2 and greater |
| Privileged Remote Access | 24.3.4 and prior | Patch BT26-02-PRA (v22.1 - 24.X) |
| Privileged Remote Access | 24.3.4 and prior | 25.1 and greater |
BeyondTrust has confirmed that a patch has been applied to all Remote Support SaaS and Privileged Remote Access SaaS customers as of February 2, 2026 that remediates this vulnerability.
For the self-hosted instances of Remote Support and Privileged Remote Access, organizations should apply the patch manually if their instance is not subscribed to automatic updates.
The Cyber Centre also recommends that organizations review their logs to detect anomalies and unauthorized access.
If immediate patching is not possible, reduce exposure by:
- Restrict management interfaces via firewall or IP allowlists
- Remove externally exposed instances from Internet until patch is applied
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 6.
- Patch operating systems and applications
- Harden operating systems and applications
- Isolate web-facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.