CVE-2026-1731 is an RCE vulnerability in identity platform BeyondTrust. This flaw allows attackers control of systems without login credentials.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

CVE-2026-1731 is a critical pre-authentication RCE vulnerability (CVSS 9.9) in BeyondTrust remote support software, affecting the thin-scc-wrapper component via WebSocket connections. The flaw stems from unsanitized bash arithmetic evaluation of the remoteVersion parameter, allowing OS command injection without credentials. Unit 42 has observed active exploitation across financial, legal, healthcare, and tech sectors in the US, France, Germany, Australia, and Canada. Attacker activity includes webshell deployment (PHP, bash droppers with config STOMPing), SparkRAT and VShell backdoor installation, DNS tunneling for C2 evasion, temporary admin account takeover via custom Python scripts, and PostgreSQL data exfiltration. Over 10,600 exposed instances have been identified. CISA added the CVE to its KEV catalog on Feb. 13, 2026. Patching guidance and XQL threat hunting queries are provided.

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Current Scope of Attacks Exploiting CVE-2026-1731

Palo Alto Networks Product Protections for CVE-2026-1731