{"id":10812,"date":"2026-02-20T10:03:45","date_gmt":"2026-02-20T10:03:45","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/20\/hackers-actively-exploiting-critical-beyondtrust-vulnerability-to-deploy-vshell-and-sparkrat\/"},"modified":"2026-02-20T10:03:45","modified_gmt":"2026-02-20T10:03:45","slug":"hackers-actively-exploiting-critical-beyondtrust-vulnerability-to-deploy-vshell-and-sparkrat","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/20\/hackers-actively-exploiting-critical-beyondtrust-vulnerability-to-deploy-vshell-and-sparkrat\/","title":{"rendered":"Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT"},"content":{"rendered":"

Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical vulnerability in BeyondTrust\u2019s remote support software is being actively exploited by hackers to deliver dangerous backdoors on compromised systems. <\/p>\n

The flaw, tracked as CVE-2026-1731, carries a CVSS score of 9.9 and lets attackers run system commands with no login required.<\/p>\n

BeyondTrust released a security advisory on February 6, 2026, confirming that CVE-2026-1731 is an OS command injection vulnerability (CWE-78) in the\u00a0thin-scc-wrapper<\/code>\u00a0component, which is exposed directly to the network via WebSocket. <\/p>\n

Sectors targeted by this campaign include financial services, healthcare, legal services, higher education, and technology firms across the United States, France, Germany, Australia, and Canada.<\/p>\n

Palo Alto Networks\u2019 Unit 42 analysts identified active exploitation<\/a> across more than 10,600 exposed instances, tracking a broad campaign that rapidly escalates from initial access to full control. <\/p>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2026, mandating urgent remediation for federal agencies and urging private-sector organizations to act immediately.<\/p>\n

Two backdoors sit at the core of this campaign. SparkRAT is an open-source<\/a>, Go-based remote access Trojan first seen in 2023 in campaigns linked to the DragonSpark threat group. <\/p>\n

VShell is a Linux backdoor known for fileless memory execution and its ability to blend in as a normal system service, making it hard to detect.<\/p>\n

CVE-2026-1731 connects historically to CVE-2024-12356, an earlier BeyondTrust flaw exploited by Silk Typhoon<\/a> (APT27) in the 2024 breach of the U.S. Treasury. <\/p>\n

The same recurring weakness \u2014 insufficient input validation \u2014 shows up in both vulnerabilities, signaling that remote access platforms remain a prime target for sophisticated threat actors.<\/p>\n

Inside the Infection Chain<\/strong><\/h2>\n

The attack starts when a threat actor opens a WebSocket connection to the appliance and submits a malformed\u00a0remoteVersion<\/code>\u00a0value formatted as\u00a0a[$(cmd)]0<\/code>\u00a0during the handshake phase.<\/p>\n

\n
\"Custom
Custom Python script for administrative account access (Source \u2013 Palo Alto Networks)<\/figcaption><\/figure>\n<\/div>\n

The\u00a0thin-scc-wrapper<\/code>\u00a0script processes this value using bash arithmetic contexts, which treat the input as runnable expressions rather than plain numbers \u2014 causing the injected command to execute silently.<\/p>\n

\n
\"One-line
One-line PHP web shell seen in activity exploiting CVE-2026-1731 (Source \u2013 Palo Alto Networks)<\/figcaption><\/figure>\n<\/div>\n

Attackers follow this with web shell deployment, installing a compact PHP backdoor<\/a> via the\u00a0eval()<\/code>\u00a0function and a multi-vector shell named\u00a0aws.php<\/code>.<\/p>\n

\n
\"PHP
PHP web shell aws.php (Source \u2013 Palo Alto Networks)<\/figcaption><\/figure>\n<\/div>\n
\n\n\n\n\n\n\n
CVE ID<\/th>\nCVSS Score<\/th>\nSeverity<\/th>\nType<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
CVE-2026-1731\u200b<\/td>\n9.9<\/td>\nCritical<\/td>\nOS Command Injection (CWE-78)<\/td>\nPre-authentication RCE in thin-scc-wrapper<\/code> component of BeyondTrust Remote Support and PRA via malformed WebSocket remoteVersion<\/code> input<\/td>\n<\/tr>\n
CVE-2024-12356<\/td>\nCritical<\/td>\nCritical<\/td>\nInput Validation Failure<\/td>\nEarlier BeyondTrust WebSocket endpoint flaw exploited by Silk Typhoon (APT27); predecessor to CVE-2026-1731<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

A bash dropper then plants a password-protected backdoor in the web root, temporarily injects a malicious Apache configuration directive, and immediately overwrites the config file on disk to hide all evidence.<\/p>\n

\n
\"Bash
Bash dropper seen in the attacks (Source \u2013 Palo Alto Networks) <\/figcaption><\/figure>\n<\/div>\n

BeyondTrust advises self-hosted customers to manually apply available patches \u2014 Remote Support 25.3.2 and Privileged Remote Access<\/a> 25.1.1 \u2014 and to upgrade older versions below 21.3 (RS) or 22.1 (PRA) before patching.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n

The post Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Hackers Actively Exploiting Critical BeyondTrust Vulnerability to Deploy VShell and SparkRAT A critical vulnerability in BeyondTrust\u2019s remote support software is being actively exploited by hackers to deliver dangerous backdoors on compromised systems. The flaw, tracked as CVE-2026-1731, carries a CVSS score of 9.9 and lets attackers run system commands with no login required. BeyondTrust released […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10812","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10812"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10812"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10812\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}