CVE-2026-1731 fuels ongoing attacks on BeyondTrust remote access products

Attackers are exploiting CVE-2026-1731 in BeyondTrust RS and PRA to deploy VShell, gain persistence, move laterally, and control compromised systems.

Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).

The flaw is being used to conduct a wide range of malicious activities, including deploying VShell and other tools to gain persistence, move laterally, and maintain remote control over compromised systems.

Recenlty, BeyondTrust released security updates to address the critical flaw in its Remote Support and older Privileged Remote Access products. The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in. The issue, disclosed on February 6, 2026, could lead to full remote code execution if exploited, making the updates essential to prevent abuse.

“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability.” reads the advisory. “By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”

Exploiting the flaw would let a remote attacker run system commands without authentication or user interaction, potentially leading to full system compromise, data theft, and service disruption.

BeyondTrust released patches for CVE-2026-1731 on February 6 after Hacktron researchers warned that about thousands of instances were exposed online.

Hacktron AI team reported that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments. Around 8,500 of these are on-prem systems and could remain vulnerable if not patched. The affected deployments are mainly used by large organizations, including enterprises in healthcare, financial services, government, and hospitality sectors.

After a PoC exploit went public on February 10, GreyNoise detected attack attempts within 24 hours, with one IP responsible for most reconnaissance activity.

In a new report, Palo Alto Networks Unit 42 confirmed the flaw is being actively exploited for reconnaissance, web shell deployment, C2 activity, backdoor installation, lateral movement, and data theft. The campaign has hit multiple sectors, including finance, legal, tech, education, retail, and healthcare, across the U.S., France, Germany, Australia, and Canada.

Threat actors used a custom Python script to briefly hijack the main admin account (User ID 1) for 60 seconds.

“The Python script functions by querying the target’s database to back up the existing password hash for the primary administrator (User ID 1). It leverages the application’s own authentication binary (check_auth) to generate a valid hash for the password string password and injects the hash into the database.” reads the report published by Palo Alto Networks.

The script backed up the original password hash, generated a valid one for a known password, injected it into the database, then restored the original hash and deleted itself—minimizing traces and evading detection.

Unit 42 observed attackers deploying multiple web shells, including one-line, password-protected PHP backdoors that execute Base64-encoded commands via eval() without writing extra files. The researchers spotted the usage of a more advanced shell (aws.php) that acted as a stealth C2 gate, echoing markers linked to tools like China Chopper. A bash dropper used “config STOMPing” to persist by loading a malicious Apache configuration into memory while keeping disk files clean.

The campaign also leveraged SparkRAT, VShell, PowerShell downloaders, a multi-method Linux “download-and-execute” cradle, and attempted Meterpreter reverse shells over port 4444.

Recently, the Cybersecurity and Infrastructure Security Agency warned that CVE-2026-1731 has been actively exploited in ransomware campaigns, prompting a revision of its KEV catalog entry.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-1731)