11.02.2026
2 min
500
Threat actors have begun actively exploiting CVE-2026-1731 (CVSS 9.9), a critical vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access. The flaw allows unauthenticated remote code execution. At the same time, CISA has added four more actively exploited vulnerabilities to its KEV catalog, impacting Apple, Notepad++, SolarWinds, and Microsoft products.
According to watchTowr researchers, in-the-wild exploitation was observed shortly after public disclosure. Attackers abuse the get_portal_info function to extract the x-ns-company value before establishing a malicious WebSocket session.
The flaw enables unauthenticated OS command execution, potentially leading to unauthorized access, data exfiltration, and service disruption. BeyondTrust has released patches:
Remote Support — Patch BT26-02-RS, version 25.3.2 and later
Privileged Remote Access — Patch BT26-02-PRA, version 25.1.1 and later
CISA also updated its Known Exploited Vulnerabilities (KEV) catalog with:
CVE-2026-20700 — memory buffer vulnerability in Apple platforms
CVE-2025-15556 — supply chain compromise in Notepad++ updates
CVE-2025-40536 — security control bypass in SolarWinds Web Help Desk
CVE-2024-43468 — SQL injection in Microsoft Configuration Manager
The Notepad++ case stands out. According to Rapid7 and DomainTools, attackers selectively delivered trojanized installers rather than broadly poisoning the ecosystem. The campaign, attributed to the China-linked Lotus Blossom group, lasted nearly five months and focused on high-value targets.
Apple acknowledged that CVE-2026-20700 may have been used in highly targeted attacks, possibly involving commercial spyware deployment.
The KEV catalog includes vulnerabilities with confirmed active exploitation. U.S. federal agencies are required to remediate them within strict deadlines. The current wave of incidents highlights how rapidly newly disclosed vulnerabilities are weaponized. With automated exploit development and patch diffing, the defensive window is now measured in days—or even hours.
CVE-2026-1731 and the expanded KEV list reinforce a harsh reality: critical vulnerabilities are operationalized almost immediately. Organizations must prioritize rapid patching, exposure reduction, log analysis, and proactive threat monitoring. In today’s landscape, response speed defines resilience.
