Executive Summary
A critical pre-authentication remote code execution (RCE) vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) is under active exploitation by multiple threat actors. The vulnerability, tracked as CVE-2026-1731 (CVSSv4 9.9), allows unauthenticated remote attackers to execute arbitrary OS commands via a trivially simple crafted WebSocket message.
CVSS Score: 9.9 (Critical)
CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13, 2026. Palo Alto's Unit 42 has observed post-exploitation deployment of VShell and SparkRAT backdoors.
Vulnerability Overview
Root Cause
CVE-2026-1731 is a pre-authentication command injection vulnerability triggered through specially crafted client requests. The exploit is described by researchers as "trivially simple" — essentially a WebSocket message with a crafted version string that achieves full remote code execution.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-1731 |
| CVSSv4 Score | 9.9 (Critical) |
| Type | Pre-Auth Remote Code Execution |
| Attack Vector | Network (WebSocket) |
| Authentication | None required |
| Privileges Required | None |
| User Interaction | None |
| Exploitation | Active — multiple threat actors |
Affected Versions and Patches
| Product | Affected Versions | Fixed Version |
|---|---|---|
| BeyondTrust Remote Support | <= 25.3.1 | 25.3.2+ |
| BeyondTrust Privileged Remote Access | <= 24.3.4 | 24.3.5+ |
SaaS customers: Patches were automatically deployed on February 2, 2026.
Self-hosted customers: Must apply updates manually. Internet-exposed instances unpatched as of February 9 are at critical risk.
Exploitation Timeline
| Date | Event |
|---|---|
| Jan 31, 2026 | BeyondTrust detects anomalous activity on a Remote Support appliance |
| Feb 2, 2026 | Patches issued and deployed to SaaS customers |
| Feb 6, 2026 | Public advisory (BT26-02) released |
| Feb 9, 2026 | Self-hosted patch deadline recommended |
| Feb 10, 2026 | First public PoC exploits appear; first exploitation attempt observed |
| Feb 11, 2026 | GreyNoise detects scanning surge — single IP (Frankfurt VPN) responsible for 86% of probes |
| Feb 13, 2026 | CISA adds CVE-2026-1731 to KEV catalog |
| Feb 14-20, 2026 | Multiple threat campaigns confirmed deploying post-exploitation malware |
Attack Chain
1. Attacker identifies internet-exposed BeyondTrust RS/PRA instance
2. Sends crafted WebSocket message with malicious version string
3. Server processes the message without authentication
4. OS command injection achieves arbitrary code execution
5. Attacker deploys VShell or SparkRAT for persistent access
6. Lateral movement into internal network via the remote access platformPost-Exploitation Malware
| Malware | Type | Description |
|---|---|---|
| VShell | Backdoor | Cross-platform C2 implant with reverse shell, file transfer, and tunneling capabilities |
| SparkRAT | RAT | Open-source Go-based remote access trojan with modular architecture |
Why This Is Especially Dangerous
BeyondTrust's Position in Networks
BeyondTrust Remote Support and PRA are deployed specifically to provide privileged remote access to systems. Compromising these appliances gives attackers:
- Legitimate remote access infrastructure to pivot into internal networks
- Credential access — Remote support sessions may contain stored credentials
- Session hijacking — Active support sessions can be intercepted or replicated
- Trust exploitation — Traffic from BeyondTrust appliances is typically trusted and may bypass network monitoring
Pre-Auth + Trivial Exploit = Mass Exploitation
The combination of:
- No authentication required
- Trivially simple exploit (single WebSocket message)
- Internet-exposed by design (it's a remote access product)
- Public PoCs available
...creates the conditions for mass exploitation, which is exactly what has been observed since February 10.
Immediate Remediation
Patch Now
- Self-hosted customers: Apply updates immediately
- SaaS customers: Verify automatic patch was applied (check version number)
- Verify no compromise: Audit appliance logs from January 31 onward
If Immediate Patching Is Not Possible
- Remove BeyondTrust appliances from internet exposure immediately
- Place behind VPN or zero-trust access controls
- Monitor for WebSocket anomalies — Unusual version strings in connection handshakes
- Hunt for VShell and SparkRAT IOCs across the environment
- Engage incident response if any indicators of compromise are detected
Detection
Network Indicators
| Indicator | Description |
|---|---|
| Malformed WebSocket version strings | Exploit attempt signature |
| Outbound connections from BeyondTrust appliance to unknown IPs | C2 communication |
| Unusual process spawning from BeyondTrust services | Post-exploitation activity |
| VShell or SparkRAT binary signatures | Known post-exploitation malware |
CISA KEV Deadline
CISA's addition to the KEV catalog on February 13 requires federal agencies to patch by the published deadline. However, with the DHS shutdown furloughing 62% of CISA, enforcement and verification are degraded.
Key Takeaways
- CVSSv4 9.9 — Pre-auth RCE via trivial WebSocket exploit
- Active exploitation confirmed by multiple threat actors deploying VShell and SparkRAT
- Patch immediately — Self-hosted instances unpatched since Feb 9 are at critical risk
- BeyondTrust's position in networks makes this especially dangerous for lateral movement
- CISA KEV listed — Federal agencies have mandatory patching deadlines
References
- BeyondTrust Security Advisory BT26-02
- Rapid7 — CVE-2026-1731: Critical Unauthenticated RCE in BeyondTrust
- Palo Alto Unit 42 — VShell and SparkRAT in BeyondTrust Exploitation
- Help Net Security — Hackers Probe, Exploit Newly Patched BeyondTrust RCE Flaw
- CISA — Known Exploited Vulnerabilities Catalog