Ransomware Actors Exploit BeyondTrust Remote Support Flaw Targeting Healthcare
U.S. health-sector authorities warned hospitals and clinics to urgently patch a critical vulnerability in BeyondTrust Remote Support and Privileged Remote Access that can provide attackers an initial foothold and enable unauthorized control of affected appliances inside enterprise networks. The flaw is tracked as CVE-2026-1731 and was highlighted to the healthcare and public health sector amid increased targeting of those organizations.
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog and set an accelerated remediation deadline for federal agencies, later updating the entry to warn that ransomware operators are actively exploiting the issue. Palo Alto Networks Unit 42 also reported observed in-the-wild exploitation, describing threat actors weaponizing the vulnerability to take control of appliances and expand access within victim environments, increasing risk to clinical networks if unpatched.
Timeline
Feb 20, 2026
HHS alerts healthcare organizations to urgently address the flaw
HHS issued an alert to the healthcare and public health sector urging organizations to review and remediate the BeyondTrust vulnerability amid rising cyberattacks on the sector. The warning highlighted the risk that exploitation could provide attackers an initial foothold in clinical and corporate networks.
Feb 20, 2026
Palo Alto Networks Unit 42 reports active exploitation
Palo Alto Networks Unit 42 reported that attackers were actively exploiting CVE-2026-1731 in BeyondTrust products. BeyondTrust warned successful exploitation could enable unauthorized access, data exfiltration, service disruption, and broader system compromise.
Feb 20, 2026
CISA updates KEV entry to warn of ransomware exploitation
CISA later updated the KEV entry for CVE-2026-1731 to note that ransomware actors were exploiting the vulnerability. This marked an escalation from general active exploitation to ransomware-linked abuse.
Feb 13, 2026
CISA adds CVE-2026-1731 to Known Exploited Vulnerabilities catalog
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog on February 13, 2026, indicating the flaw was being actively exploited. Federal agencies were given a three-day deadline to remediate the issue.
Feb 11, 2026
Health-ISAC warns healthcare sector about BeyondTrust flaw
Health-ISAC issued a bulletin to the healthcare sector warning about the BeyondTrust vulnerability and its potential impact on provider organizations. The group emphasized the products are widely used for remote IT and clinical engineering support, raising the risk of enterprise-wide disruption and patient care impacts.
Feb 2, 2026
BeyondTrust releases patches for CVE-2026-1731
BeyondTrust released patches for a critical flaw in Remote Support and Privileged Remote Access on February 2, 2026. The company said updates were automatically deployed for instances using its update service and fully applied in SaaS environments.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Active Exploitation of BeyondTrust Remote Support RCE (CVE-2026-1731) to Deploy VShell and SparkRAT
**BeyondTrust Remote Support** is being actively exploited via **CVE-2026-1731**, a **critical pre-authentication OS command injection / RCE** flaw (CVSS **9.9**) in the `thin-scc-wrapper` component exposed to the internet via **WebSocket**. Reporting indicates attackers can execute system commands without logging in, enabling rapid progression from initial access to full compromise, including reconnaissance, account creation, webshell deployment, C2 activity, lateral movement, and data theft. Victimology described to date spans multiple sectors—**financial services, healthcare, legal services, higher education, and technology/retail**—across the **U.S., France, Germany, Australia, and Canada**, with telemetry indicating **10,600+** exposed instances potentially at risk. Threat activity observed in exploitation includes deployment of two prominent remote-access backdoors: **VShell** (noted for stealthy, service-like behavior and fileless/memory execution on Linux) and **SparkRAT** (an open-source Go-based RAT previously seen in campaigns linked to *DragonSpark*). Due to confirmed exploitation, **CISA added CVE-2026-1731 to the KEV Catalog** (Feb. 13, 2026), signaling urgent patching/mitigation prioritization. Separate reporting in the same period covered unrelated critical issues in **GNU Inetutils telnetd (CVE-2026-24061)** and an exploitation surge affecting **Ivanti** products (**CVE-2025-0282/CVE-2025-0283**), but those are distinct from the BeyondTrust activity.
1 months ago
CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its *Known Exploited Vulnerabilities (KEV) Catalog* to reflect **active exploitation** of a previously patched **BeyondTrust** remote code execution flaw, **CVE-2026-1731** (CVSS 9.9), which has now been tied to **ransomware activity**. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in **identity/privileged access** paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access. Separately, CISA also announced the addition of two **Roundcube Webmail** vulnerabilities to the KEV Catalog based on evidence of active exploitation: **CVE-2025-49113** (deserialization of untrusted data) and **CVE-2025-68461** (cross-site scripting). CISA reiterated that under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
1 months ago
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
5 days ago