A critical vulnerability in BeyondTrust Remote Support is facing a surge in reconnaissance activity in preparation for more targeted exploitation, according to security researchers. 

The flaw, tracked as CVE-2026-1731, is an operating system command injection vulnerability that also impacts some older versions of the company’s Privileged Remote Access products. 

If successfully exploited, an unauthenticated attacker can execute arbitrary commands on a server without any credentials or user interaction, researchers warn. 

The flaw is a variant of the same vulnerability used by state-linked threat group Silk Typhoon against the U.S. Treasury Department, according to a blog post from GreyNoise. Hackers stole unclassified documents in the 2024 Treasury Department hack after gaining access to workstations. 

BeyondTrust automatically patched cloud customers against the flaw. Self-hosted customers will need to apply upgrades, according to a blog post published Feb. 6. 

The Cybersecurity and Infrastructure Security Agency on Friday added the flaw to its Known Exploited Vulnerabilities catalog. 

BeyondTrust also said an initial exploitation attempt was made on Feb. 10, according to an update to its advisory.

A surge of reconnaissance activity began Wednesday, mostly linked to a single IP address connected to a commercial VPN hosted in Frankfurt, Germany, according to GreyNoise. The scanning began just a day after the release of a proof of concept. 

Researchers at Defused also report a surge in probing activity but caution that any exploitation is limited. 

Ryan Dewhurst, head of threat intelligence at watchTowr, noted the first in-the-wild exploitation of the BeyondTrust flaw in a Thursday post on X. 

“Probes and exploitation attempts have been quite limited so far,” researchers at watchTowr told Cybersecurity Dive through a spokesperson. “However, we may see activity ramp up over the coming days.”

Editor’s note: Updates with additional information from CISA and BeyondTrust.