INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

BeyondTrust RCE Flaw Exploited in Attacks

| 2026-02-20 15:45 CRITICAL HIGH
JSON
Executive Summary AI-generated
The newly disclosed critical security flaw, CVE-2026-1731, has been exploited by sophisticated threat actors to conduct a wide range of malicious actions across various sectors. The vulnerability allows attackers to execute operating system commands in the context of the site user, enabling them to deploy web shells and establish backdoors for further exploitation. This highlights a localized challenge with input validation within distinct execution pathways, underscoring the need for robust security measures to prevent similar attacks.
Technical Mitigations AI-generated
* Implement robust input validation and sanitization mechanisms to prevent exploitation of the CVE-2026-1731 vulnerability. * Regularly update and patch BeyondTrust Remote Support and Privileged Remote Access appliances with the latest security patches to ensure that known vulnerabilities, including this one, are addressed. * Conduct thorough security testing and penetration testing on systems using these products to identify potential weaknesses and prevent exploitation of the CVE-2026-1731 vulnerability. * Educate users about the risks associated with the CVE-2026-1731 vulnerability and provide guidance on how to protect themselves from attacks by unauthenticated attackers. * Consider implementing a "least privilege" access model for system administrators, where only necessary privileges are granted to minimize the attack surface.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
SparkSpark CVE-2026-1731CVE-2026-1731 CVE-2024-12356CVE-2024-12356
Target & Sectors
Global Scope retailretail technologytechnology legallegal healthcarehealthcare educationeducation
Incident Timeline
January 31
Hacktron disclosed the vulnerability CVE-2026-1731 to BeyondTrust on January 31.
vulnerability CVE-2026-1731
CVE-2026-1731 is now exploited in the wild Hacktron discovered the vulnerability  and responsibly disclosed it to BeyondTrust on January 31.
organisation Hacktron
CVE-2026-1731 is now exploited in the wild Hacktron discovered the vulnerability  and responsibly disclosed it to BeyondTrust on January 31.
February 2, 2026
Threat actors exploited a BeyondTrust flaw to gain unauthorized access and execute web shells on targeted systems.
tactic Exfiltration
Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption." BeyondTrust automatically patched all Remote Support and Privileged Remote Access SaaS instances on February 2, 2026, but on-premise customers must install patches manually.
February 6
BeyondTrust disclosed the vulnerability on February 6, warning unauthenticated attackers could exploit it by sending specially crafted client requests.
organisation BeyondTrust
BeyondTrust disclosed the vulnerability on February 6, warning that unauthenticated attackers could exploit it by sending specially crafted client requests.
Feb 20, 2026
The threat actors used the BeyondTrust flaw to gain access to administrative accounts and install multiple web shells, including a PHP backdoor.
organisation CVE-2026
"CVE-2024-12356's insufficient validation was using third-party software (postgres), while CVE-2026-1731's insufficient validation problem occurred in the BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase.
organisation the BeyondTrust Remote Support (RS
"CVE-2024-12356's insufficient validation was using third-party software (postgres), while CVE-2026-1731's insufficient validation problem occurred in the BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase.
organisation Palo Alto Networks Unit
In a report published Thursday, Palo Alto Networks Unit 42 said it detected the security flaw being actively exploited in the wild for network reconnaissance, web shell deployment, command-and-control (C2), backdoor and remote management tool installs, lateral movement, and data theft.
organisation WebSocket
The cybersecurity company described the vulnerability as a case of sanitization failure that enables an attacker to leverage the affected "thin-scc-wrapper" script that's reachable via WebSocket interface to inject and execute arbitrary shell commands in the context of the site user.
organisation PHP
Installing multiple web shells across directories, including a PHP backdoor that's capable of executing raw PHP code or running arbitrary PHP code without writing new files to disk, as well as a bash dropper that establishes a persistent web shell.
2026-02-20
Threat actors used a BeyondTrust flaw to exploit a critical pre-authentication remote code execution vulnerability in their Remote Support and Privileged Remote Access products.
organisation Vulnerability / Cyber Attack Threat
 Ravie Lakshmanan  Feb 20, 2026 Vulnerability / Cyber Attack Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying VShell and  The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user.
organisation PRA
 Ravie Lakshmanan  Feb 20, 2026 Vulnerability / Cyber Attack Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying VShell and  The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user.
organisation VShell
 Ravie Lakshmanan  Feb 20, 2026 Vulnerability / Cyber Attack Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying VShell and  The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user.
infrastructure 9.9
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
infrastructure 25.3.1
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
infrastructure 24.3.4
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
organisation CVSS
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
organisation BeyondTrust Flaw Used
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration.
organisation Backdoors
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration.
organisation Data Exfiltration
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration.
organisation WebSocket
"Attackers are abusing get_portal_info to extract the x-ns-company value before establishing a WebSocket channel.
organisation PoC
A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access appliances is now being exploited in attacks after a PoC was published online.
organisation Privileged Remote Access
"BeyondTrust Remote Support and older versions of Privileged Remote Access contain a critical pre-authentication remote code execution vulnerability that may be triggered through specially crafted client requests," explained BeyondTrust .
organisation BeyondTrust Remote Support
Hacktron says approximately 11,000 BeyondTrust Remote Support instances were exposed online, with around 8,500 on-premises deployments.
organisation BleepingComputer
BleepingComputer contacted BeyondTrust and Dewhurst to ask if they had any details on post-exploitation activity and will update this story if we receive a response.
organisation Dewhurst
BleepingComputer contacted BeyondTrust and Dewhurst to ask if they had any details on post-exploitation activity and will update this story if we receive a response.
organisation Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
Tactical Metrics
Metrics
infrastructure
​9.9
Software Version
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
Metrics
infrastructure
​25.3.1
Software Version
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
Metrics
infrastructure
​24.3.4
Software Version
Tracked as CVE-2026-1731 and assigned a near-maximum CVSS score of 9.9, the flaw affects BeyondTrust Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier.
Intelligence Sources
BleepingComputer 2026-02-12
The Hacker News 2026-02-20