Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A critical vulnerability in BeyondTrust’s remote support software is being actively exploited by hackers to deliver dangerous backdoors on compromised systems.

The flaw, tracked as CVE-2026-1731, carries a CVSS score of 9.9 and lets attackers run system commands with no login required.

BeyondTrust released a security advisory on February 6, 2026, confirming that CVE-2026-1731 is an OS command injection vulnerability (CWE-78) in the thin-scc-wrapper component, which is exposed directly to the network via WebSocket.

Sectors targeted by this campaign include financial services, healthcare, legal services, higher education, and technology firms across the United States, France, Germany, Australia, and Canada.

Palo Alto Networks’ Unit 42 analysts identified active exploitation across more than 10,600 exposed instances, tracking a broad campaign that rapidly escalates from initial access to full control.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2026, mandating urgent remediation for federal agencies and urging private-sector organizations to act immediately.

Two backdoors sit at the core of this campaign. SparkRAT is an open-source, Go-based remote access Trojan first seen in 2023 in campaigns linked to the DragonSpark threat group.

VShell is a Linux backdoor known for fileless memory execution and its ability to blend in as a normal system service, making it hard to detect.

CVE-2026-1731 connects historically to CVE-2024-12356, an earlier BeyondTrust flaw exploited by Silk Typhoon (APT27) in the 2024 breach of the U.S. Treasury.

The same recurring weakness — insufficient input validation — shows up in both vulnerabilities, signaling that remote access platforms remain a prime target for sophisticated threat actors.

Inside the Infection Chain

The attack starts when a threat actor opens a WebSocket connection to the appliance and submits a malformed remoteVersion value formatted as a[$(cmd)]0 during the handshake phase.

Custom Python script for administrative account access (Source – Palo Alto Networks)

The thin-scc-wrapper script processes this value using bash arithmetic contexts, which treat the input as runnable expressions rather than plain numbers — causing the injected command to execute silently.

One-line PHP web shell seen in activity exploiting CVE-2026-1731 (Source – Palo Alto Networks)

Attackers follow this with web shell deployment, installing a compact PHP backdoor via the eval() function and a multi-vector shell named aws.php.

PHP web shell aws.php (Source – Palo Alto Networks)
CVE ID CVSS Score Severity Type Description
CVE-2026-1731​ 9.9 Critical OS Command Injection (CWE-78) Pre-authentication RCE in thin-scc-wrapper component of BeyondTrust Remote Support and PRA via malformed WebSocket remoteVersion input
CVE-2024-12356 Critical Critical Input Validation Failure Earlier BeyondTrust WebSocket endpoint flaw exploited by Silk Typhoon (APT27); predecessor to CVE-2026-1731

A bash dropper then plants a password-protected backdoor in the web root, temporarily injects a malicious Apache configuration directive, and immediately overwrites the config file on disk to hide all evidence.

Bash dropper seen in the attacks (Source – Palo Alto Networks)

BeyondTrust advises self-hosted customers to manually apply available patches — Remote Support 25.3.2 and Privileged Remote Access 25.1.1 — and to upgrade older versions below 21.3 (RS) or 22.1 (PRA) before patching.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.