Threat actors have been observed taking advantage of a recently disclosed critical security flaw affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying vshell and
Vulnerability, tracked as CVE-2026-1731 (CVSS Score: 9.9), allowing attackers to execute operating system commands in the context of the site user.
In a report published Thursday, Palo Alto Networks Unit 42 said it has discovered a security flaw being actively exploited for network reconnaissance, web shell deployment, command-and-control (C2), backdoor and remote management tool install, lateral movement, and data theft.
The campaign has targeted the financial services, legal services, high technology, higher education, wholesale and retail and healthcare sectors across the US, France, Germany, Australia and Canada.
The cybersecurity company described the vulnerability as a case of sanitization failure that enabled an attacker to leverage an affected “thin-scc-wrapper” script that is accessible through the WebSocket interface to inject and execute arbitrary shell commands in the context of the site user.
“Although this account is separate from the root user, compromising it gives the attacker effective control over the device’s configuration, managed sessions, and network traffic,” said security researcher Justin Moore.
The current scope of attacks exploiting the vulnerabilities ranges from reconnaissance to backdoor deployment –
- Using a custom Python script to gain access to an administrative account.
- Installing multiple web shells in all directories, including a PHP backdoor capable of executing raw PHP code or running arbitrary PHP code without writing new files to disk, as well as a Bash dropper that installs a persistent web shell.
- Deploying malware like VShell and Spark RAT.
- Using out-of-band application security testing (OAST) techniques to validate successful code execution and fingerprint compromised systems.
- Executing commands to stage, compress, and extract sensitive data including configuration files, internal system databases, and a full PostgreSQL dump on an external server.
Unit 42 states, “The relationship between CVE-2026-1731 and CVE-2024-12356 highlights a local, recurring challenge with input validation within separate execution paths.”
“The insufficient validation issue of CVE-2024-12356 was using third-party software (Postgres), while the insufficient validation issue of CVE-2026-1731 occurred in earlier versions of the BeyondTrust Remote Support (RS) and BeyondTrust Privileged Remote Access (PRA) codebases.”
With CVE-2024-12356 being exploited by China-Nexus threat actors like Silk Typhoon, the cybersecurity company noted that CVE-2026-1731 could also be the target of sophisticated threat actors.
The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog entry for CVE-2026-1731 to confirm that the bug has been exploited in ransomware campaigns.