Security research published by Palo Alto Networks’ Unit 42 has found active exploitation of a newly disclosed critical vulnerability affecting BeyondTrust’s Remote Support, a software used for privileged access and remote administration.
The flaw, tracked as CVE-2026-1731, is a pre-authentication remote code execution (RCE) vulnerability that allows unauthenticated attackers to execute operating system commands through exposed WebSocket endpoints. The issue stems from improper input handling in a network-facing component, enabling command injection before any user authentication occurs. The vulnerability carries a CVSS score of 9.9, reflecting its severity and low exploitation complexity.
Unit 42 researchers observed exploitation beginning shortly after vulnerability discovery in early February 2026. Post-exploitation activity included web shell deployment, command-and-control traffic, lateral movement, account creation, and data theft. Malware families such as SparkRAT and VShell were also observed being deployed following successful exploitation.
Affected environments span multiple sectors, including financial services, healthcare, higher education, legal services, and technology organizations, with confirmed activity across the United States, Europe, Australia, and Canada.
Telemetry cited by Unit 42 indicates that more than 16,400 exposed instances were vulnerable at the time of analysis.
Due to confirmed exploitation in the wild, it’s also added to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities catalog, signaling elevated risk for the private sector.
Exposed remote management interfaces continue to be a high-value target for attackers and pre-authentication flaws can rapidly lead to full system compromise when left unpatched.
Organizations running affected self-hosted deployments are advised to apply patches immediately or upgrade to fixed versions, particularly if automatic updates are not enabled.
Leave a Reply