• Executive Summary On Feb. • 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. • BeyondTrust is an identity and access management platform. • This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. • It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption. • Unit 42 is actively investigating exploitation of this vulnerability and has observed attacker activity consistent with the following: - Network reconnaissance and account creation - Webshell deployment - Command-and-control (C2) traffic - Backdoor and remote management tool deployment - Lateral movement - Data theft The campaign tracked by Unit 42 has so far affected the following sectors in the U.S., France, Germany, Australia and Canada: - Financial services - Legal services - High technology - Higher education - Wholesale and retail - Healthcare Due to the severity of the risk and confirmed active exploitation, the U.S.

Article Summaries:

  • On Feb. 6, 2026, BeyondTrust issued a security advisory for CVE‑2026‑1731, a pre‑authentication remote‑code‑execution flaw in its thin‑scc‑wrapper component of remote‑support software. The vulnerability allows attackers to run arbitrary OS commands with high privileges via a WebSocket handshake. Unit 42 has documented active exploitation, including reconnaissance, web‑shell deployment, C2 traffic, lateral movement, and data theft across financial, legal, tech, education, retail, and healthcare sectors in the U.S., France, Germany, Australia, and Canada. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Feb. 13, mandating immediate remediation for federal agencies and urging private‑sector prioritization. Palo Alto Networks identified over 16,400 exposed instances.
  • Palo Alto Networks Unit 42 reported that a critical flaw (CVE‑2026‑1731, CVSS 9.9) in BeyondTrust Remote Support and Privileged Remote Access products is actively exploited in the wild. The vulnerability allows attackers to run arbitrary OS commands via a WebSocket‑exposed script, enabling reconnaissance, web‑shell deployment, command‑and‑control, backdoor installation, lateral movement, and data exfiltration. Targeted sectors include finance, legal, tech, education, retail, and healthcare across the U.S., France, Germany, Australia, and Canada. BeyondTrust confirmed early exploitation in January 2026 and is assisting affected customers. The U.S. CISA added the flaw to its Known Exploited Vulnerabilities catalog.

Sources: