BeyondTrust patched the appliance. Now look at the vault.

The bug is the visible part. The credentials are the part that does not patch itself.

CVE-2026-1731 is an unauthenticated OS command injection in a Bash arithmetic evaluation reached through the WebSocket handshake of RS and PRA. A crafted remoteVersion parameter, the -lt comparison operator, the appliance’s site-user account, remote code execution. The fix is a regex gate confirming the field is a one-or-two-digit number. It works.

It is also the second time in fifteen months that BeyondTrust has shipped a patch for an OS command injection in this WebSocket endpoint family. CVE-2024-12356 was the first. The December 2024 fix closed one code path and did not audit the surrounding pattern. A researcher with AI tooling asked the obvious follow-up — does the same shape exist elsewhere — and the answer was yes. There was a window between the moment that question could be asked and the moment it was answered. There were roughly 16,400 exposed instances when it was.

The advisory tells operators to apply the patch. Apply the patch. The SaaS customers were patched on February 2; the on-prem customers patched on whatever cadence their change board granted, with a public PoC out by February 10 and mass-exploitation confirmed by February 12. For on-prem operators, the question that the advisory does not start is what to do with the contents of the vault.

When a privileged-access broker is the only approved path into production — the channel a vendor uses to reach the billing system, the route a contractor uses to touch the clinical EHR — the appliance does more than relay sessions. It holds the credentials those sessions use. The site user controls active sessions, appliance configuration, and the credential vault. A site-user-level payload reads what the site user can read. During the on-prem exposure window, that is every shared credential, every stored secret, every privileged API key the appliance brokered.

A patched appliance with un-rotated vault contents is the same shape as a patched MDM with un-rotated admin credentials — the door is closed, the key is still in circulation. The operational analog to credential rotation on this product is not one password change. It is regenerate every secret the appliance brokered during the window: shared logins in stored sessions, API keys for the tooling that runs through the broker, service-account passwords on the systems the broker reaches. Many of those are owned by teams that did not know they had a stake in the BeyondTrust outage. Many of those teams have not been told to rotate.

The three-day KEV deadline on this CVE is correct for an unauthenticated mass-exploited RCE on a privileged-access broker. The three-day deadline is for the patch. The vault question is on a different clock and the advisory does not start it. Three months out, with roughly 8,500 on-prem instances exposed at peak, a number of those operators patched and stopped. The auditor’s question in six months will not be “did you patch in February.” It will be “what did you rotate, and when.”

The narrow lesson is product-specific: when a patch lands on a vendor who has already shipped two RCEs in the same endpoint family in the prior fifteen months, the post-patch review is not optional. The wider one is that a privileged-access broker’s blast radius is the sum of every privileged credential it has ever brokered. A CVSS 9.8 score names the appliance. It does not name the vault.