VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Summary:
CVE-2026-1731 is a critical, pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase. The flaw resides in the network-exposed thin-scc-wrapper component, which processes incoming WebSocket connections during the initial client handshake.
Specifically, the backend script evaluates the user-supplied remoteVersion parameter inside a Bash arithmetic context intended for version comparison. Because this context allows expression evaluation and command substitution, a crafted value can trigger operating system command execution before any authentication takes place. As a result, an unauthenticated attacker can inject arbitrary shell commands that execute in the context of the appliance “site user,” enabling full control over the appliance’s configuration, managed sessions and network traffic.
Researchers from Palo Alto Networks Unit 42 are actively investigating in-the-wild exploitation of this vulnerability and report that successful compromise is rapidly followed by hands-on activity. Observed post-exploitation activity includes internal network reconnaissance, the creation of both local and domain accounts for persistence, deployment of multiple web shells, establishment of command-and-control channels, and the installation of backdoors such as VShell and SparkRAT, along with legitimate remote management tools including SimpleHelp and AnyDesk. Unit 42 has also documented data-theft operations, including staging and exfiltration of configuration files and internal databases, as well as attempts to evade detection through short-lived administrative account takeover.
Security Officer Comments:
The campaign tracked by Unit 42 has affected organizations across financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors in the United States, France, Germany, Australia and Canada. Due to confirmed active exploitation and the low-complexity, high-impact nature of the flaw, CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities Catalog, urging both federal and private-sector organizations to remediate the issue. Based on telemetry from Palo Alto Networks Cortex Xpanse, more than 10,600 internet-exposed instances are vulnerable to CVE-2026-1731, indicating a broad and active attack surface for ongoing exploitation.
Suggested Corrections:
A February 2026 Beyond Trust advisory recommends that self-hosted customers of Remote Support and Privileged Remote Access manually patch any instances that are not subscribed to automatic updates in the appliance interface.
Customers on a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 will need to upgrade to a newer version to apply this patch.
Self-hosted customers of Privileged Remote Access may also upgrade to 25.1.1 or a newer version to remediate this vulnerability.
A patch has been applied to all Remote Support SaaS and Privileged Remote Access SaaS customers as of Feb. 2, 2026, that remediates this vulnerability.
Self-hosted customers of Remote Support may also upgrade to 25.3.2 to remediate this vulnerability.
Link(s):
https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
CVE-2026-1731 is a critical, pre-authentication remote code execution vulnerability affecting BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase. The flaw resides in the network-exposed thin-scc-wrapper component, which processes incoming WebSocket connections during the initial client handshake.
Specifically, the backend script evaluates the user-supplied remoteVersion parameter inside a Bash arithmetic context intended for version comparison. Because this context allows expression evaluation and command substitution, a crafted value can trigger operating system command execution before any authentication takes place. As a result, an unauthenticated attacker can inject arbitrary shell commands that execute in the context of the appliance “site user,” enabling full control over the appliance’s configuration, managed sessions and network traffic.
Researchers from Palo Alto Networks Unit 42 are actively investigating in-the-wild exploitation of this vulnerability and report that successful compromise is rapidly followed by hands-on activity. Observed post-exploitation activity includes internal network reconnaissance, the creation of both local and domain accounts for persistence, deployment of multiple web shells, establishment of command-and-control channels, and the installation of backdoors such as VShell and SparkRAT, along with legitimate remote management tools including SimpleHelp and AnyDesk. Unit 42 has also documented data-theft operations, including staging and exfiltration of configuration files and internal databases, as well as attempts to evade detection through short-lived administrative account takeover.
Security Officer Comments:
The campaign tracked by Unit 42 has affected organizations across financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors in the United States, France, Germany, Australia and Canada. Due to confirmed active exploitation and the low-complexity, high-impact nature of the flaw, CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities Catalog, urging both federal and private-sector organizations to remediate the issue. Based on telemetry from Palo Alto Networks Cortex Xpanse, more than 10,600 internet-exposed instances are vulnerable to CVE-2026-1731, indicating a broad and active attack surface for ongoing exploitation.
Suggested Corrections:
A February 2026 Beyond Trust advisory recommends that self-hosted customers of Remote Support and Privileged Remote Access manually patch any instances that are not subscribed to automatic updates in the appliance interface.
Customers on a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 will need to upgrade to a newer version to apply this patch.
Self-hosted customers of Privileged Remote Access may also upgrade to 25.1.1 or a newer version to remediate this vulnerability.
A patch has been applied to all Remote Support SaaS and Privileged Remote Access SaaS customers as of Feb. 2, 2026, that remediates this vulnerability.
Self-hosted customers of Remote Support may also upgrade to 25.3.2 to remediate this vulnerability.
Link(s):
https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/