Introduction
A critical vulnerability (CVE-2026-1731, CVSS 9.9) was publicly disclosed on February 6, 2026 affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw allows unauthenticated attackers to achieve full remote code execution via a crafted WebSocket message (WebSocket is a persistent, bidirectional communication channel between a client and server, commonly used for real-time features) sent to an internet-facing endpoint, requiring no credentials, no user interaction, and only low complexity. Active exploitation has been confirmed by multiple independent sources including GreyNoise, watchTowr, and Arctic Wolf, with attacks observed within 24 hours of public PoC availability. Immediate patching is required.
Quick Overview
| Attribute | Details |
|---|---|
| CVE | CVE-2026-1731 |
| Severity | Critical (CVSS 9.9 v4.0 / 9.8 v3.1) |
| CWE | CWE-78 (OS Command Injection) |
| Affected Products | BeyondTrust Remote Support (RS), Privileged Remote Access (PRA) |
| Affected Versions | RS 25.3.1 and prior; PRA 24.3.4 and prior (PRA 25.1+ is not affected) |
| Attack Vector | Network |
| Authentication Required | None |
| Exploit Complexity | Low |
| User Interaction | None |
| Active Exploitation | Yes, confirmed (GreyNoise, watchTowr, Arctic Wolf, Darktrace) |
| PoC Available | Yes, public (multiple GitHub repositories including win3zz, referenced by CISA) |
| CISA KEV | Yes (added February 13, 2026; verify due date in official KEV catalog) |
| Fix Available | Yes: RS 25.3.2+ / PRA 25.1.1+ |
What Is BeyondTrust Remote Support & Privileged Remote Access?
BeyondTrust Remote Support (RS) is an enterprise remote access tool that lets IT teams and help desks connect to and control endpoints. Think of it as the enterprise-grade version of tools like TeamViewer or AnyDesk. Privileged Remote Access (PRA) extends that concept specifically for managing privileged sessions: it brokers, monitors, and records connections to sensitive systems while storing the credentials needed to access them.
This is exactly why a vulnerability in these products is so dangerous. BeyondTrust appliances are designed to be internet-facing by default and they hold the keys to an organization’s most sensitive infrastructure. Compromising one doesn’t just give an attacker a single server. It gives them the credential vault, the session recordings, and a direct tunnel into every system the appliance manages. BeyondTrust states that approximately 75% of the Fortune 100 use its products, and researchers at Hacktron AI identified roughly 11,000 internet-facing instances via Shodan and Fofa at the time of disclosure, of which approximately 8,500 are on-premises deployments that remain potentially vulnerable if not patched (SaaS instances were automatically remediated).
Technical Analysis
The Root Cause: Unsafe Bash Arithmetic Evaluation
The vulnerability lives in a shell script called thin-scc-wrapper that is reachable through the /nw WebSocket URI. This is the same endpoint that was exploited as a zero-day in December 2024 (CVE-2024-12356) in a high-profile nation-state attack, but through a different code path.
The root cause is a classic CWE-78 (OS Command Injection), but the injection mechanism is a particularly interesting one that many developers don’t think about: Bash arithmetic evaluation. In Bash, when you write something like $(( $user_input )) to do a numeric comparison, the shell doesn’t just treat the content as a number. Bash arithmetic contexts evaluate nested command substitutions, meaning if $user_input contains a[$(whoami)], the shell will actually execute whoami before attempting the arithmetic. This is by design in Bash, but it’s a dangerous footgun when user-controlled input reaches an arithmetic expression without sanitization.
In BeyondTrust’s case, the thin-scc-wrapper script takes a remoteVersion parameter from incoming WebSocket messages and feeds it into a Bash numeric comparison to determine protocol compatibility. Because the WebSocket endpoint does not require authentication and the script does not sanitize the version string, an attacker can inject arbitrary OS commands that execute in the context of the site user, which is the service account running the BeyondTrust appliance.
Attack Flow
- Reconnaissance: The attacker sends a GET request to
/get_portal_infoto extract thex-ns-companyvalue, a configuration identifier required to establish a valid WebSocket session. - WebSocket connection: Using the company value, the attacker initiates a WebSocket connection to the
/nwendpoint, which is normally used for client-appliance protocol negotiation. - Payload injection: The attacker sends a WebSocket message containing a newline-delimited sequence that includes a malicious
remoteVersionparameter. The documented PoC payload uses the formata[$(touch /tmp/pwned)], but any arbitrary command can be substituted. This value reaches the Bash arithmetic evaluation inthin-scc-wrapper. - Command execution: Bash evaluates the nested command substitution within the arithmetic context, executing the attacker’s payload as the site user on the underlying operating system. The attacker now has full OS-level access to the appliance.
Why Existing Protections Don’t Help
The critical factor is that the /nw WebSocket endpoint is exposed to the internet by design. It’s how legitimate BeyondTrust clients connect to the appliance. There is no authentication layer between the internet and the vulnerable code path. Web Application Firewalls (WAFs) may not inspect WebSocket frame content by default, and because the payload is embedded in what looks like a version negotiation parameter, it doesn’t trigger standard injection signatures. The commands execute at the OS level, below any application-layer access controls.
Affected Versions
| Branch | Vulnerable Versions | Fixed Version | Patch ID | Patch Applies To |
|---|---|---|---|---|
| Remote Support (RS) | 25.3.1 and all prior versions | 25.3.2+ | BT26-02-RS | RS 21.3 through 25.3.1 |
| Privileged Remote Access (PRA) | 24.3.4 and all prior versions | 25.1.1+ | BT26-02-PRA | PRA 22.1 through 24.3.4 |
Important Notes
- PRA 25.1 and later are not affected by this vulnerability and do not require patching.
- SaaS/cloud customers were automatically patched on February 2, 2026 and do not need to take action.
- Self-hosted customers must manually download and apply the BT26-02 patch, or upgrade to the fixed version.
- Organizations running RS versions older than 21.3 or PRA versions older than 22.1 must first upgrade to a supported release before the patch can be applied. These legacy versions are still vulnerable but cannot receive the patch directly.
- The December 2024 patch for CVE-2024-12356 does not cover this vulnerability. Both target the same WebSocket endpoint, but CVE-2026-1731 exploits a different code path within it. Organizations that applied the earlier patch must still apply BT26-02.
Threat Status
Exploitation Activity: Active exploitation is confirmed by multiple independent sources. BeyondTrust’s own advisory states the first exploitation attempt was observed on February 10, 2026, the same day the first public PoCs appeared. By February 11, GreyNoise’s Global Observation Grid detected scanning surges, with a single IP address responsible for 86% of observed probe traffic. This IP was operating from a commercial VPN in Frankfurt and simultaneously targeting SonicWall, MOVEit, Log4j, and other high-value attack surfaces, which suggests a sophisticated multi-exploit operator rather than an opportunistic scanner. watchTowr’s Head of Threat Intelligence Ryan Dewhurst confirmed in-the-wild exploitation on February 12 across their global sensor network. Arctic Wolf and Darktrace independently corroborated exploitation activity in customer environments. Notably, GreyNoise observed attackers probing non-standard ports beyond 443, indicating awareness that some enterprises relocate BeyondTrust off default ports.
PoC Availability: Multiple public proof-of-concept exploits are available. Rapid7 published a detailed technical analysis and PoC on February 10, and security researcher win3zz published a separate PoC on GitHub the same day. CISA references the latter in its official CVE record. At least four public repositories now exist, including Nuclei-based scanner templates. Defused Cyber confirmed attackers are leveraging these automated scripts for mass exploitation. The exploit itself is trivially simple: it’s essentially a WebSocket message with a crafted version string.
Attribution: No specific threat actor attribution has been published for CVE-2026-1731 exploitation at this time. However, it is worth noting that the same WebSocket endpoint was previously exploited as a zero-day by what the U.S. government attributed to the Chinese state-sponsored group Silk Typhoon (also known as Hafnium) in a high-profile December 2024 breach of a federal agency. GreyNoise sensors also caught a malicious IP replaying the earlier exploit chain (CVE-2024-12356 + CVE-2025-1094) in January 2026, before CVE-2026-1731 was even discovered, which suggests sustained nation-state interest in BeyondTrust’s attack surface. No definitive connection between those earlier activities and the current exploitation wave has been established.
Why This Matters: Three reasons this CVE stands out from the noise
First, BeyondTrust appliances are purpose-built gateways to privileged access. Unlike a vulnerability in a typical web application where the blast radius is limited to that application’s data, compromising a PRA appliance gives attackers direct access to the credential vault: stored passwords, SSH keys, and session tokens for the most sensitive systems in an organization. Arctic Wolf documented a complete post-exploitation playbook observed in active incidents: attackers deployed SimpleHelp RMM (a legitimate remote monitoring and management tool, repurposed as a persistent backdoor) as renamed binaries saved to C:\ProgramData\, created new domain administrator accounts, enumerated Active Directory using AdsiSearcher, and moved laterally via PSExec and Impacket. This is not theoretical. It is the observed kill chain.
Second, the discovery-to-exploitation timeline is a case study in how fast the game moves now. On January 30, watchTowr published a technical analysis of CVE-2026-1281, an arithmetic evaluation injection in Ivanti EPMM, documenting the bug pattern in detail. On January 31, researchers Harsh Jaiswal and the Hacktron AI team used AI-enabled variant analysis (searching for the same class of arithmetic evaluation bug across other codebases) and found CVE-2026-1731 in BeyondTrust’s products. BeyondTrust patched SaaS customers on February 2 and published advisory BT26-02 on February 6. Rapid7 reverse-engineered the patch on February 10 by analyzing the modified thin-scc-wrapper script, and published both a detailed write-up and a PoC. win3zz independently published a separate PoC on GitHub the same day. BeyondTrust observed the first exploitation attempt on February 10, and by February 12, watchTowr and Arctic Wolf confirmed mass exploitation was underway. That’s under two weeks from pattern identification to exploitation at scale. This is a concrete example of how AI-assisted vulnerability research compresses the timeline: a pattern discovered in one vendor’s product was applied to a completely different vendor’s product within 24 hours.
Third, this is the fourth significant security issue in or closely related to BeyondTrust’s remote access products in just 14 months, and the second to hit the exact same /nw WebSocket endpoint. The earlier CVE-2024-12356 was the zero-day exploited by a nation-state actor in December 2024; CVE-2026-1731 is a variant in a different code path within the same endpoint. This pattern, where the initial patch addresses the specific exploitation vector but doesn’t fully remediate the broader vulnerability class in the surrounding code, is a recurring theme in security and one worth watching. Organizations that deploy BeyondTrust in internet-facing configurations should factor this track record into their risk models and network segmentation decisions.
| Related CVE | Date | CVSS | Type | Exploited? |
|---|---|---|---|---|
| CVE-2024-12356 | Dec 2024 | 9.8 | Command Injection (/nw endpoint) | Yes, Silk Typhoon zero-day; high-profile federal agency breach |
| CVE-2024-12686 | Dec 2024 | Medium | Discovered during subsequent investigation | Yes, 17 SaaS instances compromised via stolen API key |
| CVE-2025-1094 | Jan 2025 | Critical | PostgreSQL SQL injection (not a BeyondTrust CVE, chained with 12356) | Yes, part of the same nation-state breach chain |
| CVE-2026-1731 | Feb 2026 | 9.9 | OS Command Injection (/nw endpoint, new code path) | Yes, active mass exploitation |
Remediation
Primary Action
Patch now. Apply BT26-02 or upgrade to the fixed versions (RS 25.3.2+ / PRA 25.1.1+). This is not a “schedule for your next maintenance window” situation. CISA added this to the KEV catalog on February 13 with a short remediation deadline under BOD 22-01 (Binding Operational Directive, the federal mandate that requires agencies to remediate KEV-listed vulnerabilities by a set due date), and exploitation is already active.
Version-Specific Instructions
| Deployment Type | Action |
|---|---|
| SaaS / Cloud-hosted | No action needed, automatically patched February 2, 2026. |
| Self-hosted (RS 21.3 – 25.3.1) | Apply patch BT26-02-RS or upgrade to RS 25.3.2+. |
| Self-hosted (PRA 22.1 – 24.3.4) | Apply patch BT26-02-PRA or upgrade to PRA 25.1.1+. |
| Self-hosted (PRA 25.1+) | Not affected. No action needed. |
| Self-hosted (RS < 21.3 / PRA < 22.1) | Upgrade to a supported version first, then apply BT26-02. These legacy versions cannot receive the patch directly but are still vulnerable. |
Interim Mitigations
If patching cannot happen immediately:
- Restrict network access to the appliance’s web portal using IP allowlists, VPN, or geoblocking. This reduces the attack surface to trusted networks, but note that it may disrupt legitimate remote support workflows depending on your deployment model.
- Block or monitor WebSocket connections to the
/nwendpoint at the WAF or reverse proxy level. This is a more targeted mitigation but may break client connectivity for legitimate BeyondTrust sessions. - Take the portal offline temporarily if neither patching nor access restriction is feasible. This is disruptive but eliminates the attack vector entirely.
Post-Compromise Considerations
Given confirmed active exploitation, any organization that had an internet-facing, unpatched BeyondTrust RS or PRA instance prior to applying BT26-02 should assume potential compromise and investigate. BeyondTrust confirmed exploitation attempts began on February 10, 2026, but earlier probing cannot be ruled out. BeyondTrust advises affected customers to open a Severity 1 support ticket citing “BT26-02.” Specific indicators to hunt for:
- Persistence: SimpleHelp RMM binaries (potentially renamed) in
C:\ProgramData\directories, launched via Bomgar or SYSTEM processes. - Account creation: New domain accounts created via
net user /add /domain, especially accounts added to Enterprise Admins or Domain Admins via net group. - Discovery: Active Directory enumeration using
AdsiSearcheror similar LDAP query tools. - Lateral movement: PSExec or Impacket SMBv2 sessions across the network.
- Credential theft: Unusual access to the PRA credential vault, export of stored credentials, or session recording archives.
Detection Guidance
Network-level indicators
- HTTP GET requests to
/get_portal_infofollowed shortly by WebSocket upgrade requests to/nwfrom the same source IP. This is the exploitation sequence. - WebSocket traffic to
/nwon non-standard ports (not just 443). Attackers are actively scanning alternate ports. - Outbound connections to OAST (Out-of-Band Application Security Testing) domains. Darktrace observed these as early indicators of exploitation attempts.
- Connections from unusual ASNs (Autonomous System Numbers, identifiers for networks operated by specific organizations or ISPs) or commercial VPN exit nodes targeting your BeyondTrust appliance.
Host-Level Indicators
- Unexpected child processes spawned by BeyondTrust’s service account (the “site user”), particularly
curl,wget,bash, orsh. - New or renamed binaries in
C:\ProgramData\or Linux equivalent directories, especially anything associated with SimpleHelp RMM. net userandnet groupcommands executed in the context of BeyondTrust processes.- Modifications to
thin-scc-wrapperor relatedthin*binaries outside of a known patching window.
How Can Orca Help?
The Orca Cloud Security Platform enables security teams to respond to threats like CVE-2026-1731 within minutes.
- Instant Discovery: Identify assets running vulnerable BeyondTrust RS and PRA versions across their cloud environments
- Context-Aware Prioritization: See which vulnerable assets are internet-facing, in production, or contain sensitive data – focus on what matters first
- Attack Path Analysis: Understand if this vulnerability creates a path to critical assets or can be chained with other risks
Using Orca’s News Item, view highlights affected assets directly, helping security teams cut through the noise and focus on the instances that matter most.
