Palo Alto Networks’ Unit 42 has uncovered an active exploitation campaign targeting BeyondTrust Remote Support and Privileged Remote Access appliances through CVE-2026-1731, a critical pre-authentication remote code execution vulnerability with a CVSS score of 9.9. The attacks have deployed sophisticated backdoors including VShell and SparkRAT across organizations in financial services, healthcare, legal, and high-tech sectors.
The Vulnerability: Pre-Auth RCE via Bash Arithmetic Injection
CVE-2026-1731 exploits a flaw in the thin-scc-wrapper component, which is exposed via WebSocket and handles incoming connections. The vulnerability stems from improper input sanitization when processing the remoteVersion parameter during WebSocket handshakes.
The script uses bash arithmetic contexts (such as (( ... ))) to compare version numbers. However, these contexts can evaluate embedded command substitutions like $(command), allowing attackers to achieve arbitrary command execution without any authentication.
Multi-Stage Attack Chain
Unit 42 observed attackers following a comprehensive playbook after initial exploitation:
- Network reconnaissance and domain enumeration
- Administrative account takeover using a custom Python script that temporarily hijacks User ID 1 for 60 seconds before self-destructing
- Web shell deployment including password-protected PHP backdoors with China Chopper/AntSword signatures
- Apache config STOMPing – a technique that injects malicious directives into the running Apache process while keeping the on-disk configuration file clean
- Backdoor installation with SparkRAT and VShell
- Lateral movement using tools like SimpleHelp, AnyDesk, and Cloudflare tunnels
- Data exfiltration targeting configuration files and internal databases
Malware Arsenal
SparkRAT
SparkRAT is a cross-platform, open-source remote access Trojan written in Go. First identified in 2023 during the DragonSpark campaign, it provides full remote control capabilities and has been observed across numerous compromised environments in this campaign.
VShell
VShell is a stealthy Linux backdoor characterized by advanced evasion techniques, including fileless memory execution and the ability to masquerade as legitimate system services. This makes it particularly difficult to detect through traditional file-based security tools.
Scope of Impact
The campaign has affected organizations across multiple sectors in the United States, France, Germany, Australia, and Canada:
- Financial Services
- Legal Services
- High Technology
- Higher Education
- Wholesale and Retail
- Healthcare
At the time of Unit 42’s publication, Cortex Xpanse identified over 16,400 exposed instances vulnerable to CVE-2026-1731.
CISA Mandates Immediate Action
Due to confirmed active exploitation, CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2026, mandating immediate remediation for federal agencies and signaling urgent prioritization for the private sector.
Recommendations
- Patch immediately – BeyondTrust self-hosted customers should apply patches per the February 2026 security advisory
- Hunt for web shells – Search for suspicious PHP files in web root directories, especially those using
eval()with Base64-encoded input - Monitor for config STOMPing – Compare running Apache configurations against on-disk files
- Check for unauthorized accounts – Review User ID 1 access logs for anomalies
- Deploy EDR with behavioral detection – SparkRAT and VShell may evade signature-based detection
Source: Unit 42 – Palo Alto Networks
