Active Exploitation of BeyondTrust Remote Support RCE (CVE-2026-1731) to Deploy VShell and SparkRAT
BeyondTrust Remote Support is being actively exploited via CVE-2026-1731, a critical pre-authentication OS command injection / RCE flaw (CVSS 9.9) in the thin-scc-wrapper component exposed to the internet via WebSocket. Reporting indicates attackers can execute system commands without logging in, enabling rapid progression from initial access to full compromise, including reconnaissance, account creation, webshell deployment, C2 activity, lateral movement, and data theft. Victimology described to date spans multiple sectors—financial services, healthcare, legal services, higher education, and technology/retail—across the U.S., France, Germany, Australia, and Canada, with telemetry indicating 10,600+ exposed instances potentially at risk.
Threat activity observed in exploitation includes deployment of two prominent remote-access backdoors: VShell (noted for stealthy, service-like behavior and fileless/memory execution on Linux) and SparkRAT (an open-source Go-based RAT previously seen in campaigns linked to DragonSpark). Due to confirmed exploitation, CISA added CVE-2026-1731 to the KEV Catalog (Feb. 13, 2026), signaling urgent patching/mitigation prioritization. Separate reporting in the same period covered unrelated critical issues in GNU Inetutils telnetd (CVE-2026-24061) and an exploitation surge affecting Ivanti products (CVE-2025-0282/CVE-2025-0283), but those are distinct from the BeyondTrust activity.
Timeline
Feb 20, 2026
BeyondTrust says exploitation was first detected on January 31
BeyondTrust stated that exploitation of CVE-2026-1731 was first detected on 2026-01-31 and was largely limited to unpatched, internet-facing, self-hosted appliances before 2026-02-09. This disclosure clarified the campaign's start and early scope.
Feb 20, 2026
CISA updates KEV entry to warn of ransomware exploitation
By 2026-02-20, CISA had updated its KEV entry for CVE-2026-1731 to state that ransomware actors were exploiting the vulnerability. This marked an escalation from general active exploitation to confirmed use in ransomware campaigns.
Feb 20, 2026
HHS warns healthcare organizations to remediate the flaw
On 2026-02-20, reporting said the U.S. Department of Health and Human Services issued an alert urging healthcare and public health organizations to review and address CVE-2026-1731. The warning highlighted the risk that the flaw could give attackers an initial foothold in hospital and clinic networks.
Feb 19, 2026
BeyondTrust exploitation campaign reported across sectors and countries
By 2026-02-19, Palo Alto Networks Unit 42 reported active in-the-wild exploitation of CVE-2026-1731 affecting multiple industries and countries. Observed post-exploitation activity included reconnaissance, web shell deployment, persistence, lateral movement, and use of VShell and SparkRAT.
Feb 13, 2026
CISA adds CVE-2026-1731 to the KEV catalog
On 2026-02-13, CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog, requiring U.S. federal agencies to remediate it on an urgent timeline. Other organizations were also urged to take immediate action.
Feb 10, 2026
Public PoC for CVE-2026-1731 appears
A public proof-of-concept for CVE-2026-1731 was released on 2026-02-10. Reporting says exploitation activity accelerated after the PoC became available.
Feb 6, 2026
BeyondTrust discloses CVE-2026-1731 and releases patches
On 2026-02-06, BeyondTrust disclosed the critical pre-authentication command-injection flaw CVE-2026-1731 affecting Remote Support and Privileged Remote Access, and issued fixes. The company advised customers to upgrade to patched versions, including Remote Support 25.3.2 and Privileged Remote Access 25.1.1.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
2 more from sources like data breaches net and palo alto networks unit 42 blog
Related Stories
BeyondTrust Pre-Authentication RCE in Remote Support and Privileged Remote Access (CVE-2026-1731)
BeyondTrust released security updates for a **critical pre-authentication remote code execution** vulnerability in *BeyondTrust Remote Support (RS)* and certain older versions of *Privileged Remote Access (PRA)*. Tracked as **CVE-2026-1731** (CVSS **9.9**), the issue is described as an **operating system command injection** that can be triggered via **specially crafted requests** without authentication, allowing an attacker to execute OS commands in the context of the **site user** and potentially enabling **unauthorized access, data exfiltration, and service disruption**. Affected versions include **Remote Support 25.3.1 and earlier** and **Privileged Remote Access 24.3.4 and earlier**. BeyondTrust provided fixes via **RS Patch `BT26-02-RS` / RS 25.3.2+** and **PRA Patch `BT26-02-PRA` / PRA 25.1.1+**, and urged **self-hosted** customers to manually apply updates if not enrolled in automatic updates; older deployments (e.g., RS <21.3 or PRA <22.1) must first upgrade to a supported release line to apply the remediation. BeyondTrust’s **SaaS** instances were patched automatically (reported as completed on **2026-02-02**), reducing exposure primarily to organizations operating **self-managed** installations.
2 months ago
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
1 months ago