# BeyondTrust Exploited by Hackers via Newly Disclosed Vulnerability (CVE-2026-1731)
In February 2026, researchers from Hacktron AI discovered a critical vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE-2026-1731. This flaw has been actively exploited by threat actors to deploy malware, gain persistence, move laterally, and control compromised systems.
The vulnerability allows an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in. If exploited, this could lead to full remote code execution, potentially resulting in data theft, service disruption, and full system compromise. BeyondTrust has released patches for CVE-2026-1731 on February 6, after the Hacktron AI team warned that about thousands of instances were exposed online.
Threat actors have been using the vulnerability to conduct a wide range of malicious activities, including deploying VShell and other tools to gain persistence, move laterally, and maintain remote control over compromised systems. GreyNoise detected attack attempts within 24 hours after a PoC exploit went public on February 10.
A custom Python script was used by attackers to briefly hijack the main admin account (User ID 1) for 60 seconds. The script leveraged the application's own authentication binary to generate a valid hash for the password string and inject it into the database, minimizing traces and evading detection.
Palo Alto Networks Unit 42 confirmed that the flaw is being actively exploited for reconnaissance, web shell deployment, C2 activity, backdoor installation, lateral movement, and data theft. The campaign has hit multiple sectors, including finance, legal, tech, education, retail, and healthcare, across the U.S., France, Germany, Australia, and Canada.
The attackers used a range of tools to persist on compromised systems, including SparkRAT, VShell, PowerShell downloaders, a multi-method Linux "download-and-execute" cradle, and attempted Meterpreter reverse shells over port 4444. Recently, the Cybersecurity and Infrastructure Security Agency warned that CVE-2026-1731 has been actively exploited in ransomware campaigns.
To prevent abuse of this critical vulnerability, it is essential for organizations using BeyondTrust RS and PRA to apply the available patches as soon as possible. This includes deploying security updates to address the critical flaw in its Remote Support and older Privileged Remote Access products.
In conclusion, CVE-2026-1731 has been a significant target for hackers, allowing them to deploy malware and maintain control over compromised systems. Organizations must prioritize patching these vulnerable BeyondTrust products to prevent abuse and protect their data.
This is an ongoing story in the cybersecurity world, please keep checking this site for updates.
Stay up-to-date with cybersecurity news by following us on Twitter: @securityaffairs