Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Flaw in BeyondTrust Exploited for Cyber Attacks

Critical Flaw in BeyondTrust Exploited for Cyber Attacks

Posted on February 20, 2026 By CWS

A critical security vulnerability has been identified in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products, posing significant risks across several industries. Exploited by threat actors, this flaw, designated as CVE-2026-1731 with a CVSS score of 9.9, enables the execution of operating system commands in the context of the site user.

Exploitation of CVE-2026-1731

According to a report released on Thursday by Palo Alto Networks Unit 42, the vulnerability is being actively exploited in various malicious campaigns. These include network reconnaissance, web shell deployment, command-and-control (C2) installation, and data theft. The sectors affected encompass financial services, legal services, high technology, higher education, wholesale and retail, and healthcare, impacting regions such as the U.S., France, Germany, Australia, and Canada.

The flaw arises from a failure in input sanitization, allowing attackers to manipulate the ‘thin-scc-wrapper’ script accessible via the WebSocket interface. This permits the execution of arbitrary shell commands as the site user, according to security researcher Justin Moore. Despite being distinct from the root user, compromising this account gives attackers significant control over the appliance’s configuration and managed sessions.

Techniques Used in Attacks

The exploitation techniques vary, ranging from reconnaissance to backdoor deployment. Attackers use custom Python scripts to access administrative accounts and install multiple web shells, including a PHP backdoor capable of executing raw PHP code. Additionally, a bash dropper establishes persistent web shells. Malware like VShell and Spark RAT has been deployed, utilizing out-of-band application security testing (OAST) techniques to confirm successful code execution and fingerprint compromised systems.

Attackers also execute commands to stage, compress, and exfiltrate sensitive data, including configuration files and a full PostgreSQL dump, to an external server. These activities highlight the sophisticated nature of the attacks exploiting this vulnerability.

Connection to Previous Vulnerabilities

The relationship between CVE-2026-1731 and a previous vulnerability, CVE-2024-12356, underscores recurring challenges in input validation. While CVE-2024-12356 involved issues with third-party software, the current vulnerability pertains specifically to BeyondTrust’s RS and PRA product lines. The previous vulnerability was targeted by China-nexus threat actors like Silk Typhoon, raising concerns that CVE-2026-1731 may attract similar attention.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include CVE-2026-1731, confirming its exploitation in ransomware campaigns. This development emphasizes the necessity for organizations to remain vigilant and implement robust security measures to mitigate potential threats.

The Hacker News Tags:Backdoors, BeyondTrust, CVE-2026-1731, cyber attack, Cybersecurity, data exfiltration, network security, Remote Support, Vulnerability, web shells

Post navigation

Previous Post: Critical Flaw in Grandstream VoIP Phones Exposes Networks
Next Post: Apache Tomcat Security Flaw Allows Constraint Bypass

Related Posts

CISA Warns of Active Exploitation of Gogs Vulnerability Enabling Code Execution CISA Warns of Active Exploitation of Gogs Vulnerability Enabling Code Execution The Hacker News
India Orders Phone Makers to Pre-Install Sanchar Saathi App to Tackle Telecom Fraud India Orders Phone Makers to Pre-Install Sanchar Saathi App to Tackle Telecom Fraud The Hacker News
Malicious Ruby and Go Modules Target CI Environments Malicious Ruby and Go Modules Target CI Environments The Hacker News
Critical Mitel Flaw Lets Hackers Bypass Login, Gain Full Access to MiVoice MX-ONE Systems Critical Mitel Flaw Lets Hackers Bypass Login, Gain Full Access to MiVoice MX-ONE Systems The Hacker News
Drift Faces 5M Loss in Social Engineering Heist Drift Faces $285M Loss in Social Engineering Heist The Hacker News
AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark