Hackers are actively using a serious flaw in BeyondTrust's remote support software to open harmful backdoors on compromised systems This article explores compromised systems cvss. . With a CVSS score of 9.9, the vulnerability, known as CVE-2026-1731, enables attackers to execute system commands without requiring a login.

On February 6, 2026, BeyondTrust published a security advisory verifying that CVE-2026-1731 is an OS command injection vulnerability (CWE-78) in the thin-scc-wrapper component, which is directly accessible through WebSocket. Financial services, healthcare, legal services, higher education, and technology companies in the US, France, Germany, Australia, and Canada are among the industries this campaign is aimed at.

More than 10,600 exposed instances were found to be actively exploited by Palo Alto Networks' Unit 42 analysts, who followed a wide campaign that quickly progressed from initial access to complete control. On February 13, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed CVE-2026-1731 in its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to take immediate corrective action and advising private-sector entities to do the same. This campaign revolves around two backdoors.

The open-source, Go-based remote access Trojan known as SparkRAT was initially discovered in 2023 in campaigns connected to the DragonSpark threat group. The Linux backdoor VShell is well-known for its fileless memory execution and ability to pass for a legitimate system service, making it difficult to identify.

CVE-2026-1731 has a historical connection to CVE-2024-12356, a previous BeyondTrust vulnerability that Silk Typhoon (APT27) took advantage of in the 2024 U.S. Treasury hack. Both vulnerabilities exhibit the same recurrent flaw, which is inadequate input validation, indicating that remote access platforms continue to be a top target for highly skilled threat actors. Within the Chain of Infection The attack begins when a threat actor establishes a WebSocket connection with the appliance and, during the handshake phase, submits a malformed remoteVersion value formatted as a[$(cmd)]0.

Palo Alto Networks is the source of this unique Python script for administrative account access. The injected command runs silently because the thin-scc-wrapper script uses bash arithmetic contexts to process this value, treating the input as runnable expressions rather than just numbers.

Attackers deploy a web shell, install a compact PHP backdoor using the eval() function, and install a multi-vector shell called aws.php after spotting a one-line PHP web shell in activity exploiting CVE-2026-1731 (Source: Palo Alto Networks). CVE-2026-1731 9.9 Critical OS Command Injection (CWE-78) CVE ID CVSS Score Severity Type Description Malformed WebSocket remoteVersion input CVE-2024-12356 for pre-authentication RCE in the thin-scc-wrapper component of BeyondTrust Remote Support and PRA Validation of Critical Critical Input Prior to CVE-2026-1731, Silk Typhoon (APT27) exploited a BeyondTrust WebSocket endpoint flaw. In order to conceal all evidence, a bash dropper then creates a password-protected backdoor in the web root, temporarily inserts a malicious Apache configuration directive, and instantly overwrites the configuration file on disk.

BeyondTrust advises self-hosted customers to manually apply available patches — Remote Support 25.3.2 and Privileged Remote Access 25.1.1 — and to upgrade older versions below 21.3 (RS) or 22.1 (PRA) before patching. To receive more instant updates, set ZeroOwl as a preferred source in Google. The bash dropper was observed in the attacks (Source: Palo Alto Networks).