PRP: BeyondTrust Remote Support CVE-2026-1731 Pre-Auth RCE

[frkngksl]

• Identifier of the vulnerability: CVE-2026,1731
• Affected software: BeyondTrust Remote Support
• Type of vulnerability: RCE
• Requires authentication: No
• Language you would use for writing the plugin: Java or Python because of the websocket requirement
• Resources:
  • https://cloud.projectdiscovery.io/library/CVE-2026-1731
  • https://github.com/win3zz/CVE-2026-1731/blob/main/exploit.py

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 1 issues tagged as main;
• The contributor has 4 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[github-actions]

Congratulations, your request has been approved! 🎉

This means that you can start working on this contribution.

❗ Please take a moment to fill the participation form

If you are unsure where to start, we have compiled a set of
useful guides in our documentation:

📖 https://google.github.io/tsunami-security-scanner/howto/

Unfortunately, our documentation is not yet complete for
fingerprints, Python plugins and weak credential detectors. For
these, we recommend looking at existing plugins.

📢 Read latest announcements on GitHub pages

~The Tsunami PRP team

[frkngksl]

Hi @erikvarga ,

Planning to implement this with an old Java type plugin due to websocket communication in the exploit. Are you okay with that right?

[tooryx]

Hi @frkngksl,

This is OK.

~tooryx

[frkngksl]

Hi @tooryx ,

I want to give you an update regarding the latest situation here. BeyondTrust Remote Support doesn't give you any official docker or public link to their products. Also, there is no official hash for the server part itself (to check its binary from VirusTotal). They are claiming that they can give a trial, but I couldn't pass the SMS verification (maybe because I live in Turkey, it was the same on the weekend, I've decided to wait for today, but on a weekday, the problem still continues). I can contact the customer service regarding this trial issue, but in that situation, I don't think that I could prepare a Docker testbed due to the license conditions. I know it is a very critical PoC and really wanted to develop a plugin for it, but I don't know how we can move on with the validation part. Any ideas on that?

Best regards,

[tooryx]

Hi @frkngksl,

Let's park that request for now then.

~tooryx

[github-actions]

This issue has been put in your contributor queue. This usually
means that you already are working on a contribution and the
panel is waiting for your other contributions to be fully
merged.

An issue in your queue is not pre-approved. Any issue that is
not explicitely approved by the panel will not be eligible for
a reward.

Unless there is an emergency, an issue in your queue cannot be
claimed by another contributor.

~The Tsunami PRP team