Critical BeyondTrust Flaw Exploited by Hackers

Critical BeyondTrust Flaw Exploited by Hackers

Posted on By CWS

A severe security flaw in BeyondTrust’s remote support software is currently being exploited by cybercriminals to introduce harmful backdoors into vulnerable systems.

The Critical Vulnerability

Identified as CVE-2026-1731, this vulnerability has a CVSS score of 9.9, allowing attackers to execute system commands without authentication. BeyondTrust confirmed the flaw on February 6, 2026, highlighting it as an OS command injection vulnerability in the thin-scc-wrapper component, which is exposed to network attacks via WebSocket.

This vulnerability is actively being targeted across multiple sectors, including finance, healthcare, legal, education, and technology firms, with affected regions covering the United States, France, Germany, Australia, and Canada.

Active Exploitation and Impact

Palo Alto Networks’ Unit 42 has tracked over 10,600 instances of active exploitation, with attackers quickly advancing from initial access to complete system control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1731 to its Known Exploited Vulnerabilities Catalog, urging immediate remediation by federal agencies and commercial organizations.

The exploitation campaign involves two main backdoors: SparkRAT, a Go-based remote access Trojan linked to the DragonSpark group, and VShell, a Linux backdoor known for its stealth execution capabilities.

Infection Chain and Mitigation Measures

The attack sequence begins with a threat actor establishing a WebSocket connection to the affected system, submitting a manipulated remoteVersion value that triggers the vulnerability. This malformed input is processed by the thin-scc-wrapper script, leading to the execution of malicious commands.

Subsequent steps involve deploying a compact PHP web shell and a multi-vector shell named aws.php, followed by a bash dropper that plants a password-protected backdoor and temporarily alters Apache configurations to conceal activities.

BeyondTrust advises all users to apply the latest patches for Remote Support and Privileged Remote Access software and upgrade to versions 25.3.2 and 25.1.1, respectively. Older versions should also be updated to ensure security compliance.

Stay informed by following us on Google News, LinkedIn, and X for real-time updates, and consider setting us as a preferred source in Google for continuous cybersecurity news.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

Optimizing SOC Efficiency with Enhanced Tier-1 Alert Handling Optimizing SOC Efficiency with Enhanced Tier-1 Alert Handling Cyber Security News
CISA Adds Critical React2Shell Vulnerability to KEV Catalog Following Active Exploitation CISA Adds Critical React2Shell Vulnerability to KEV Catalog Following Active Exploitation Cyber Security News
SonicWall Firewall Devices 0-day Vulnerability Actively Exploited by Akira Ransomware SonicWall Firewall Devices 0-day Vulnerability Actively Exploited by Akira Ransomware Cyber Security News
Phishing Campaign Targets Job Seekers with Fake Google Forms Phishing Campaign Targets Job Seekers with Fake Google Forms Cyber Security News
New EggStreme Malware With Fileless Capabilities Leverages DLL Sideloading to Execute Payloads New EggStreme Malware With Fileless Capabilities Leverages DLL Sideloading to Execute Payloads Cyber Security News
Chrome Security Update – Patch for 21 Vulnerabilities that Allows Attackers to Crash Browser Chrome Security Update – Patch for 21 Vulnerabilities that Allows Attackers to Crash Browser Cyber Security News