CVE-2026-1731

Name of the Vulnerable Software and Affected Versions BeyondTrust Remote Support versions prior to 25.3.2 BeyondTrust Privileged Remote Access versions prior to 25.1.1

Description BeyondTrust Remote Support and Privileged Remote Access contain a critical pre-authentication remote code execution flaw. The issue stems from an OS command injection weakness in a Bash script named thin-scc-wrapper that improperly handles the remoteVersion parameter during client-server negotiations. An unauthenticated remote attacker can exploit this by sending specially crafted requests to the /get portal info endpoint to extract the x-ns-company value and subsequently establish a WebSocket channel via the /nw endpoint to execute arbitrary operating system commands in the context of the site user.

This issue has been actively exploited in global campaigns targeting the finance, healthcare, legal, and technology sectors across the US, France, Germany, Australia, and Canada. Attackers have used this flaw to deploy web shells, backdoors such as VShell and SparkRAT, and other remote monitoring tools like SimpleHelp and AnyDesk to achieve persistence, perform lateral movement, and exfiltrate sensitive data, including full PostgreSQL database dumps. The flaw has also been weaponized in ransomware attacks. Approximately 11,000 exposed instances were identified worldwide.

Recommendations Update BeyondTrust Remote Support to version 25.3.2 or later, or apply patch BT26-02-RS. Update BeyondTrust Privileged Remote Access to version 25.1.1 or later, or apply patch BT26-02-PRA. As a temporary mitigation, take the portal offline or restrict access to internal IP addresses to minimize the risk of exploitation.