CVE-2026-1731

What is BeyondTrust Remote Support and PRA?

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) are enterprise Privileged Access Management (PAM) tools used by IT teams to securely access, manage, and audit remote systems and privileged accounts. RS is designed for helpdesk and support scenarios; PRA controls access to critical infrastructure, servers, and network devices.

These products are deeply embedded in enterprise and government environments, often running with elevated credentials on sensitive internal networks. A compromise of a BeyondTrust instance gives an attacker a privileged foothold with visibility into everything the PAM tool touches — making it an exceptionally high-value target. BeyondTrust's prior CVE-2024-12356 was exploited by Silk Typhoon (APT27) in the December 2024 breach of the U.S. Treasury Department.

Overview

CVE-2026-1731 is a pre-authentication OS command injection vulnerability affecting BeyondTrust RS and PRA. An unauthenticated remote attacker can execute arbitrary operating system commands in the context of the site user — with no credentials, no interaction, and low complexity required. The vulnerability was discovered on January 31, 2026, disclosed February 6, and mass exploitation began within 24 hours of a public PoC being published on February 12.

CISA added it to the KEV catalog on February 13, 2026, with a two-day federal remediation deadline — one of the shortest deadlines on record, reflecting the severity and active exploitation.

Affected Versions

SaaS/cloud customers were patched automatically on February 2, 2026. Self-hosted deployments require manual patch application via the /appliance management interface or by enabling automatic updates.

Technical Details

The vulnerability is a Bash arithmetic injection in thin-scc-wrapper, a Bash script handling the WebSocket connection handshake in both RS and PRA.

During the handshake, the script evaluates the client-supplied remoteVersion field using Bash arithmetic comparison. Bash's arithmetic evaluation context (triggered by $((...)) or similar constructs) treats operands as expressions, not plain strings. An attacker sends a crafted remoteVersion value such as:

a[$(command)]0

Bash evaluates the embedded $(command) as a command substitution within the arithmetic expression, executing it in the context of the site user — before any authentication has occurred. Because the remoteVersion field is entirely attacker-controlled and passed into this context without sanitization, the result is unauthenticated, pre-authentication remote code execution.

Attack characteristics:

• Authentication required: None
• User interaction: None
• Attack vector: Network (WebSocket endpoint exposed to internet)
• Complexity: Low — PoC published publicly, minimal exploitation skill required
• CWE-78: Improper Neutralization of Special Elements used in an OS Command

Discovery

Discovered on January 31, 2026 by Harsh Jaiswal and the Hacktron AI team using AI-driven variant analysis — an automated approach that used AI to identify variants of prior BeyondTrust vulnerabilities (specifically CVE-2024-12356). Intel 471 published a detailed case study on how this represents a new paradigm in vulnerability research, where AI tooling finds novel variants faster than traditional manual code review.

Exploitation Context

Mass exploitation was confirmed on February 12, 2026 — within 24 hours of a public PoC being posted to GitHub — by watchTowr and Arctic Wolf. BeyondTrust's own telemetry detected the first exploitation attempt on February 10.

Post-exploitation tooling observed (Unit 42 / Palo Alto):

• VShell — a Linux backdoor using fileless/memory-resident execution, masquerading as a legitimate system service to evade detection
• SparkRAT — an open-source Go-based remote access tool previously associated with the DragonSpark threat group

Threat actor context: No definitive attribution has been made for CVE-2026-1731 exploitation. However, researchers noted the use of VShell and SparkRAT has historical links to Chinese threat actor toolsets. BeyondTrust's previous critical RCE (CVE-2024-12356) was exploited by Silk Typhoon (APT27) in the 2024 U.S. Treasury breach, establishing a pattern of nation-state interest in BeyondTrust products.

Internet exposure at disclosure:

• ~16,400 potentially exposed instances (Cortex Xpanse / Unit 42)
• ~4,017 RS instances and ~284 PRA instances visible on Shodan (as of February 20, 2026)
• By late February, ransomware-linked intrusions were confirmed by CISA

Sectors targeted: Financial services, healthcare, legal services, higher education, and technology — primarily US, France, Germany, Australia, and Canada.

Remediation

1. Patch immediately — upgrade RS to 25.3.2+ or apply patch BT26-02-RS; upgrade PRA to 25.1.1+ or apply patch BT26-02-PRA via the /appliance interface
2. SaaS customers — verify your instance was auto-patched on February 2, 2026 by checking the version shown in the admin console
3. Restrict network access — if patching cannot happen immediately, block internet access to the BeyondTrust appliance and restrict to known-good IP ranges
4. Hunt for compromise — review logs for unexpected WebSocket connections, unusual processes spawned by the site user, and presence of VShell or SparkRAT indicators; check BeyondTrust's IOC guidance in BT26-02
5. Audit privileged sessions — review all sessions recorded by the appliance since February 10, 2026 for unauthorized access patterns
6. Enable automatic updates — prevents exposure windows from future BeyondTrust vulnerabilities