BeyondTrust Vulnerability Exploited to Deploy Web Shells, Backdoors, and Steal Data

/ Vulnerabilities, Cyber Security, Daily Cyber News, Exploitation, RCE, Threat

A critical security flaw affecting BeyondTrust Remote Support and BeyondTrust Privileged Remote Access products is being actively exploited by threat actors to deploy web shells, backdoors, malware, and exfiltrate sensitive data. The vulnerability, tracked as CVE-2026-1731, carries a CVSS score of 9.9.

Nature of the Vulnerability

The flaw stems from a sanitization failure in the “thin-scc-wrapper” script, accessible via a WebSocket interface. This allows attackers to inject and execute arbitrary operating system commands in the context of a site user account. Although this account is not root, compromising it provides control over appliance configurations, managed sessions, and network traffic.

bash

Observed Attack Techniques

Palo Alto Networks Unit 42 reports that attackers are leveraging CVE-2026-1731 for a range of operations:

  • Using custom Python scripts to gain administrative access
  • Installing web shells, including PHP backdoors capable of executing arbitrary code in memory, and bash droppers for persistent access
  • Deploying malware such as VShell and Spark RAT
  • Executing commands to stage, compress, and exfiltrate sensitive data, including configuration files, internal system databases, and full PostgreSQL dumps
  • Performing network reconnaissance and lateral movement
  • Validating code execution and fingerprinting compromised systems via out-of-band application security testing (OAST)

Impacted Sectors and Geography

The attacks have affected multiple industries, including:

  • Financial services
  • Legal services
  • High technology
  • Higher education
  • Wholesale and retail
  • Healthcare

Geographically, active exploitation has been observed in the United States, France, Germany, Australia, and Canada.

Context and Threat Actor Profile

Unit 42 highlights that CVE-2026-1731 shares input validation weaknesses similar to CVE-2024-12356. While CVE-2024-12356 involved third-party software (PostgreSQL) and was exploited by China-linked actors like Silk Typhoon, CVE-2026-1731 occurs in BeyondTrust RS and older PRA codebases, making it attractive to sophisticated attackers. CISA has confirmed that the vulnerability has been observed in ransomware campaigns.




Found this article interesting? Follow us on  X (Twitter) FacebookBlue sky and LinkedIn to read more exclusive content we post.

Related Posts