Threat actors are exploiting recently disclosed critical security flaws affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to
This vulnerability is tracked as CVE-2026-1731 (CVSS score: 9.9) and allows an attacker to execute operating system commands in the context of a site user.
In a report released Thursday, Palo Alto Networks Unit 42 said it has detected this security flaw being actively exploited in the wild for network reconnaissance, web shell deployment, command and control (C2), backdoor and remote management tool installation, lateral movement, and data theft.
The campaign targets financial services, legal services, high tech, higher education, wholesale and retail, and healthcare sectors in the United States, France, Germany, Australia, and Canada.
The cybersecurity firm describes the vulnerability as a case of sanitization failure, which allows an attacker to inject and execute arbitrary shell commands in the context of a site user by leveraging an affected “thin-scc-wrapper” script accessible via the WebSocket interface.
“While this account is separate from the root user, compromising it effectively gives an attacker control over the appliance’s configuration, managed sessions, and network traffic,” said security researcher Justin Moore.
Current attacks exploiting this flaw range from reconnaissance to backdoor deployment.
Access administrator accounts using custom Python scripts. Installs multiple web shells across directories, including a PHP backdoor that allows you to run raw or arbitrary PHP code without writing new files to disk, and a bash dropper that establishes a persistent web shell. Deploying malware such as VShell and Spark RAT. Uses out-of-band application security testing (OAST) techniques to verify successful code execution and fingerprinting of compromised systems. Run commands to stage, compress, and extract sensitive data such as configuration files, internal system databases, and complete PostgreSQL dumps to external servers.
“The relationship between CVE-2026-1731 and CVE-2024-12356 highlights localized and recurring challenges with input validation within separate execution paths,” Unit 42 said.
“While the insufficient validation in CVE-2024-12356 was due to the use of third-party software (postgres), the insufficient validation issue in CVE-2026-1731 was introduced in BeyondTrust Remote Support (RS) and older versions of the BeyondTrust Privileged Remote Access (PRA) codebase.”
CVE-2024-12356 has been exploited by Chinese-aligned attackers like Silk Typhoon, and the cybersecurity firm noted that CVE-2026-1731 could also be targeted by sophisticated attackers.
The development comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated the CVE-2026-1731 entry in its Known Exploited Vulnerabilities (KEV) catalog, confirming that the bug has been exploited in a ransomware campaign.
Source link
