A critical vulnerability in BeyondTrust Remote Support is facing a surge in reconnaissance activity in preparation for more targeted exploitation, according to security researchers. 

The flaw, tracked as CVE-2026-1731, is an operating system command injection vulnerability that also impacts some older versions of the company’s Privileged Remote Access products. 

If successfully exploited, an unauthenticated attacker can execute arbitrary commands on a server without any credentials or user interaction, researchers warn. 

The flaw is a variant of the same vulnerability used by state-linked threat group Silk Typhoon against the U.S. Treasury Department, according to a blog post from GreyNoise. Hackers stole unclassified documents in the 2024 Treasury Department hack after gaining access to workstations. 

BeyondTrust automatically patched cloud customers against the flaw. Self-hosted customers will need to apply upgrades, according to a blog post published Feb. 6. 

A surge of reconnaissance activity began Wednesday, mostly linked to a single IP address connected to a commercial VPN hosted in Frankfurt, Germany, according to GreyNoise. The scanning began just a day after the release of a proof of concept. 

Researchers at Defused also report a surge in probing activity but caution that any exploitation is limited. 

Ryan Dewhurst, head of threat intelligence at watchTowr, noted the first in-the-wild exploitation of the BeyondTrust flaw in a Thursday post on X. 

“Probes and exploitation attempts have been quite limited so far,” researchers at watchTowr told Cybersecurity Dive through a spokesperson. “However, we may see activity ramp up over the coming days.”