On 6 February 2026, BeyondTrust published security advisory BT26-02, disclosing a critical pre-authentication remote code execution (RCE) vulnerability in two of its remote access products: Remote Support (RS) and Privileged Remote Access (PRA). The flaw is tracked as CVE-2026-1731 and has been under active exploitation, including ransomware campaigns.
What the vulnerability is
CVE-2026-1731 is an operating system command injection flaw located in the thin-scc-wrapper component. A remote, unauthenticated attacker can send specially crafted requests —typically over a WebSocket connection— to execute arbitrary OS commands in the context of the service user. This results in full server compromise: remote shell, file access, process execution, and lateral movement into the rest of the infrastructure.
The severity rating is among the highest possible: CVSS v4.0 of 9.9 (with NVD references to CVSS 9.8). The attack vector is network-based and requires no credentials and no user interaction, which makes it especially dangerous for Internet-facing servers.
Who is affected
Affected versions are Remote Support 25.3.1 and earlier and Privileged Remote Access 24.3.4 and earlier. The risk falls primarily on on-premises instances reachable from the Internet. Researchers at Hacktron AI, who discovered the flaw via AI-assisted variant analysis, identified roughly 8,500 exposed on-premises instances; later telemetry from Unit 42 (Palo Alto Networks) raised the count to more than 16,400 potentially vulnerable instances.
These products are commonly used by help desks, MSPs, and support teams to access customer systems with elevated privileges, so a compromise can cascade across multiple organizations.
Severity and real-world exploitation
The flaw was exploited as a zero-day from late January 2026. On 13 February 2026, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog and later updated the entry to enable the ransomware marker, confirming its use in encryption-and-extortion operations.
Unit 42 documented in-the-wild activity tied to the SparkRAT and VShell malware families, with attackers focused on data theft: in several investigated compromises they attempted to exfiltrate configuration files, internal databases, and even a full PostgreSQL dump to attacker-controlled command-and-control (C2) servers. A public proof of concept also exists, sharply lowering the barrier to mass exploitation.
Mitigation and patch
The recommendation is to update immediately to the fixed versions published by BeyondTrust in advisory BT26-02. Additional measures:
- Restrict access to RS/PRA consoles, avoiding direct Internet exposure (use VPN, access control lists, or segmentation).
- Review logs and WebSocket connections for anomalous requests and for the indicators of compromise published by Unit 42.
- Assume compromise if the server was exposed while unpatched: rotate credentials, review database dumps, and hunt for SparkRAT/VShell artifacts.
Because this is a CISA KEV entry with a ransomware marker, organizations under federal directive must apply the fix within the mandated deadline, and everyone else should treat it as a top priority.