Threat actors have been observed exploiting a disclosed critical security flaw affecting the BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to perform a number of malicious actions, including using VShell and
Vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site’s user.
In a report published on Thursday, Palo Alto Networks Unit 42 said it found that the security flaw is being exploited continuously in the wild for network discovery, deployment of web shells, command-and-control (C2), installation of background and remote control tools, tracking movements, and data theft.
The campaign targeted the financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the US, France, Germany, Australia and Canada.
The cybersecurity company described the vulnerability as a case of a sanitation failure that allows an attacker to use an affected “thin-scc-wrapper” script accessible through the WebSocket interface to inject and execute arbitrary shell commands in the site’s user context.
“Although this account is separate from the root user, compromising it gives an attacker the ability to control device settings, managed sessions and network traffic,” said security researcher Justin Moore.
The current range of exploits range from retesting to post-processing –
- Using a custom Python script to gain access to an administrative account.
- Installing multiple web shells in all directions, including a PHP backdoor that can execute raw PHP code or run obscure PHP code without writing new files to disk, and a bash dropper that launches a persistent web shell.
- It uses malware like VShell and Spark RAT.
- Out-of-band application security testing (OAST) techniques are used to ensure successful code extraction and fingerprinting of vulnerable systems.
- It executes commands on the platform, compresses and extracts sensitive data, including configuration files, internal system databases and complete PostgreSQL dumps, to an external server.
“The relationship between CVE-2026-1731 and CVE-2024-12356 highlights the challenge of local, iterative and validating inputs between different implementations,” Unit 42 said.
“CVE-2024-12356 insufficient authentication was using third-party software (postgres), while CVE-2026-1731 insufficient authentication issue occurred in BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) code.”
Since CVE-2024-12356 is being exploited by Chinese threat actors such as Silk Typhoon, the cybersecurity firm noted that CVE-2026-1731 could also be a target for critical actors.
The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog entry for CVE-2026-1731 to confirm that the bug has been exploited in ransomware campaigns.
