CISA Confirms BeyondTrust RCE Flaw Exploited in Ransomware Campaigns as Thousands of On-Premises Instances Remain Exposed
A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access products, rated CVSS 9.9, is being actively exploited in ransomware attacks across six countries, with thousands of on-premises instances still unpatched.
A critical vulnerability in BeyondTrust’s remote access products has escalated from targeted exploitation to active use in ransomware campaigns, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to update its Known Exploited Vulnerabilities (KEV) catalog with a ransomware designation for the flaw.
The vulnerability, tracked as CVE-2026-1731, carries a near-maximum CVSS score of 9.9 and affects BeyondTrust Remote Support (RS) versions 25.3.1 and earlier, as well as Privileged Remote Access (PRA) versions 24.3.4 and earlier. The flaw enables unauthenticated, remote attackers to execute arbitrary operating system commands by sending specially crafted requests to affected systems.
From Disclosure to Exploitation in Four Days
BeyondTrust disclosed the vulnerability on February 6, 2026, under advisory BT26-02. The company automatically patched its SaaS instances by February 2, four days before the public disclosure. However, self-hosted customers were left to apply manual updates.
The situation deteriorated rapidly. Rapid7 Labs published a technical analysis on February 10, and within 24 hours, in-the-wild exploitation was confirmed. CISA added CVE-2026-1731 to its KEV catalog on February 13, 2026.
The flaw resides in the thin-scc-wrapper component and exploits insufficient input validation during WebSocket handshake processing. Attackers inject malicious bash commands through the remoteVersion parameter using arithmetic expansion contexts to bypass sanitization checks.
Sophisticated Post-Exploitation Toolkit
Security researchers documented an extensive post-exploitation playbook used by threat actors targeting the vulnerability. Attackers deployed Python scripts that enabled administrative account takeover within 60 seconds by querying internal databases, backing up original password hashes, generating valid replacements via the application’s own authentication binary, and self-destructing afterward.
The attackers’ toolkit included multiple categories of malware. PHP-based web shells using eval() functions provided persistent backdoor access, while a shell identified as aws.php aggregated HTTP data sources and decoded Base64 payloads using delimiter characters associated with the China Chopper command-and-control framework. Bash droppers employed a technique described as “config STOMPing,” injecting malicious Apache directives into running processes while maintaining clean artifacts on disk to evade forensic detection.
Two remote access trojans featured prominently in observed attacks. SparkRAT, a cross-platform Go-based tool, was deployed across multiple environments. VShell, a Linux-focused backdoor, used fileless memory execution and service masquerading to avoid detection.
Thousands of Instances Still Exposed
The scope of potential impact remains significant. Internet scanning identified approximately 16,400 BeyondTrust Remote Support instances exposed to the internet, with an estimated 8,500 on-premises systems that require manual patching and remain at risk.
Attacks have been observed across the financial services, legal, technology, higher education, retail, and healthcare sectors in the United States, France, Germany, Australia, and Canada. Attackers used DNS tunneling via out-of-band application security testing services to encode victim hostnames as hexadecimal subdomains, bypassing egress filtering while appearing as legitimate DNS traffic.
The vulnerability draws comparisons to CVE-2024-12356, a similar BeyondTrust flaw previously exploited by the China-linked threat group Silk Typhoon in the U.S. Treasury breach. That precedent, combined with the current exploitation patterns involving tools like China Chopper, has heightened concern among incident responders.
Organizations running self-hosted BeyondTrust Remote Support or Privileged Remote Access installations are urged to update to RS version 25.3.2 or later and PRA version 25.1.1 or later immediately. CISA’s ransomware designation for the vulnerability signals that federal agencies face mandatory remediation deadlines.