CISA flags active exploitation of BeyondTrust CVE-2026-1731 

CISA announced on February 13, 2026, that it added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog, signaling that attackers are actively using the flaw in real-world intrusions.

What happened

A security flaw tracked as CVE-2026-1731 hits BeyondTrust Remote Support (RS) and certain older Privileged Remote Access (PRA) versions, according to the National Vulnerability Database (NVD) run by NIST. The database describes the bug as a pre-authentication remote code execution issue, meaning an attacker may be able to send specially crafted requests and run operating system commands without logging in if the target server is reachable and unpatched.

NVD lists the severity as Critical, including a CVSS 3.1 base score of 9.8, and maps the weakness to CWE-78 (OS command injection). The entry also notes the issue is listed in CISA’s Known Exploited Vulnerabilities catalog, with a federal due date of February 16, 2026, after being added on February 13, 2026, and it summarizes the required action as applying vendor mitigations or discontinuing use if mitigations are unavailable.

NVD’s affected-software section indicates impacted builds include PRA versions before 25.1 and RS versions before 25.3.2, pointing readers to BeyondTrust’s BT26-02 advisory and CISA guidance for patching and response.

What was said

According to the CISA alert, “Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.”

Why does the CISA recommend timely vulnerability disclosure, patching and rapid sharing of exploitation signals?

CISA pushes for fast vulnerability disclosure, patching, and rapid sharing of exploitation signals because speed is what shrinks the window attackers have to use a known weakness. CISA’s Binding Operational Directive (BOD) 22-01 explicitly creates a CISA-managed Known Exploited Vulnerabilities (KEV) Catalog to focus agencies on vulnerabilities that attackers are already using, and it sets deadlines so remediation happens quickly instead of drifting.

CISA also tells organizations to patch quickly after disclosure; its joint advisories sometimes specify a 24–48 hour patch window, because active threat campaigns move fast once a bug becomes public knowledge or weaponized. Rapid sharing of exploitation signals (like malicious IPs, domains, hashes, and phishing artifacts) matters for the same reason as shared indicators help other defenders block or detect the same activity sooner.

The CISA runs programs designed for near real-time indicator exchange, including Automated Indicator Sharing (AIS) and its share indicators intake process. CISA’s guidance also notes that without timely reporting/sharing, CISA and partners have less ability to assist victims and less visibility into broader campaigns, which slows down collective defense.

Why it matters

Gogs is a self-hosted Git server that teams run on their own infrastructure to store code and manage software changes, so a compromise can spill into the systems that build and deploy software. CISA added urgency by listing a Gogs flaw in its KEV Catalog. One reason the fallout can spread fast is credential exposure.

An Empirical Software Engineering study on secrets in code repositories warns that “Checked-in secrets in version-controlled software projects pose security risks to software and services.” While Gogs and BeyondTrust live in different ecosystems, developer tooling versus remote access/security tooling, both become high-impact targets when they are self-hosted, internet-exposed, and slow to update.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What are FCEB agencies?

FCEB agencies are U.S. Federal Civilian Executive Branch departments and agencies that fall under CISA’s binding directive scope for protecting federal civilian networks.

What is an OS Command Injection?

An OS command injection is a software flaw (often labeled CWE-78) where unsafe input lets an attacker execute operating system commands on the affected server.

Why does BOD 22-01 only apply to FCEB agencies?

BOD 22-01 is CISA’s Binding Operational Directive that established the KEV Catalog and requires FCEB agencies to fix listed exploited vulnerabilities by set deadlines, and it applies only to FCEB agencies because BODs are compulsory directions for federal civilian executive-branch agencies (not a blanket rule for the private sector).