CVE-2026-1731: BeyondTrust Pre-Auth RCE — WebSocket Command Injection, CVSS 9.9

Threat ID: TL-2026-0124 | Severity: CRITICAL | Status: ACTIVE

CVE: CVE-2026-1731 | CVSS: 9.9 (v4) / 9.8 (v3.1) | CWE: CWE-78

Actor: Multiple (Silk Typhoon/APT27 linked) | Nation: China | Motivation: ESPIONAGE

MITRE Techniques: 33 | Detections: 9

---

BeyondTrust Privileged Remote Access — the tool your admins use to manage everything — had a critical RCE chain that Silk Typhoon exploited before anyone knew about it. CVE-2026-1731 scores CVSS 9.9 and lives in the thin-scc-wrapper bash script, which evaluates unsanitized remoteVersion input during the WebSocket handshake via bash arithmetic contexts. One crafted parameter. Full OS command injection. No authentication required. With over 16,400 exposed instances identified by Cortex Xpanse and active exploitation confirmed within 24 hours of the public PoC drop on February 10, 2026, this vulnerability is under widespread attack. Below: the exploitation chain, post-exploitation tradecraft (VShell, SparkRAT, China Chopper), and production-ready detection queries.

GreyNoise intelligence observing active reconnaissance for BeyondTrust CVE-2026-1731 — proof-of-concept exploitation detected within 24 hours of disclosure.

Executive Summary

• What: Pre-authentication OS command injection in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) via bash arithmetic evaluation of crafted WebSocket remoteVersion parameter
• Who: Multiple unattributed operators; Silk Typhoon/APT27/Emissary Panda linked to prior BeyondTrust exploitation (CVE-2024-12356 US Treasury breach); attribution confidence MEDIUM
• Impact: CVSS 9.9, unauthenticated RCE as the site user with appliance configuration control; 16,400+ internet-exposed instances; active exploitation across financial services, legal, technology, higher education, and healthcare
• Status: Fixed in RS v25.3.2+ and PRA v25.1.1+; CISA added to KEV Catalog February 13, 2026, with 3-day remediation deadline; SaaS instances auto-patched February 2
• Detection: 9 production-ready detections available on Threadlinqs Intelligence

Technical Analysis

The Bash Arithmetic Injection

The vulnerability targets the thin-scc-wrapper component, a bash script that handles incoming WebSocket connections on the /nw endpoint. During the handshake, the script performs a version comparison using bash arithmetic evaluation — contexts like (( ... )) or let statements that inherently process command substitutions before the comparison executes.

The payload format a[$(cmd)]0 forces bash to evaluate the embedded command substitution $(cmd) during arithmetic context processing. The remoteVersion parameter is passed directly into this context without sanitization, meaning any shell command injected into the version string executes as the BeyondTrust site user.

The site user context is not root, but it controls appliance configuration — sufficient to create administrative accounts, deploy webshells, modify Apache configurations, and dump backend databases. The attacker owns the box at this point.

Side note: when your PAM vendor gets popped, the blast radius isn't one network — it's every network they manage. BeyondTrust's customer base spans financial services, healthcare, and government, which is exactly what makes this class of vulnerability so dangerous.

Same endpoint, different bug. CVE-2024-12356, exploited by Silk Typhoon in December 2024 to breach the US Treasury, targeted the same WebSocket path. The December 2024 patch introduced numeric coherence checks, but those measures did not fully prevent bash expression evaluation within input strings. CVE-2026-1731 was discovered through AI-enabled variant analysis that identified this bypass on January 31, 2026.

Attack Chain

Based on Unit 42 analysis of active exploitation campaigns, the post-exploitation sequence follows a consistent pattern:

1. Initial Access — WebSocket connection to /nw with crafted remoteVersion payload containing a[$(cmd)]0 arithmetic injection
2. Admin Takeover — Custom Python script exploits check_auth binary to temporarily grant administrative access (User ID 1) for 60 seconds by swapping password hashes, then self-destructs
3. Persistence — PHP webshells deployed to web root: aws.php (China Chopper/AntSword variant with DQo= CRLF delimiters), one-line eval() backdoors, and file_save.php via config STOMPing
4. Config STOMPing — Bash dropper writes webshell, injects malicious Apache Location directive pointing to /ns/tmp/php-fpm.sock, restarts Apache to load configuration into memory, then overwrites the disk copy with the clean backup
5. RAT Deployment — VShell (fileless Linux implant via memfd), SparkRAT (Go-based cross-platform RAT), and Meterpreter reverse shells on port 4444. Three separate callback channels. Redundancy matters when you're hopping boxes inside a PAM appliance.
6. Lateral Movement — SimpleHelp, AnyDesk, Cloudflare tunnels, and Ligolo-ng proxy for internal network pivoting; domain account creation for Active Directory persistence
7. Defense Evasion — DNS tunneling via OAST: hostnames hex-encoded and transmitted as DNS queries to oastify[.]com and oast[.]pro domains, chunked into 63-character label segments
8. Exfiltration — PostgreSQL database dumps pulled out through attacker C2 infrastructure

Threat Actor Attribution

Attribution for CVE-2026-1731 exploitation remains at MEDIUM confidence. Based on our analysis of post-exploitation artifacts across multiple incident reports, the webshell signatures — particularly aws.php with DQo= delimiters — match China Chopper and AntSword tooling historically associated with PRC-nexus operations. The deployment of VShell and SparkRAT aligns with Chinese espionage tradecraft documented in the 2023 DragonSpark campaign. Your PAM tool. Compromised. Your credentials. Extracted.

Silk Typhoon (also tracked as APT27, Emissary Panda, UNC5221) exploited the predecessor vulnerability CVE-2024-12356 to breach the US Treasury in December 2024. In March 2025, the DOJ charged 12 Chinese contract hackers linked to that operation. GreyNoise observed replay of the Treasury breach chain from a Polish hosting provider in January 2026, suggesting continued interest in the BeyondTrust attack surface.

The reconnaissance profile is notable: a single IP accounted for 86% of all scanning activity, operating from a Frankfurt-based commercial VPN. TCP fingerprinting revealed a Linux-only stack with MSS 1358 (VPN tunnel encapsulation), and JA4+ signatures did not match any known application. Two distinct exploit tool variants — a lightweight 5-header version and a 7-header variant — indicate at least two separate operator toolchains.

The Hacker News coverage of BeyondTrust's critical pre-authentication RCE vulnerability in Remote Support and Privileged Remote Access products.

Detection

The exploitation chain produces distinctive telemetry at multiple stages — from the initial WebSocket injection through webshell deployment and DNS tunneling exfiltration. What caught our attention was how noisy the post-exploitation phase is relative to the quiet initial access vector.

Threadlinqs Intelligence tracks 9 production-ready detections for this threat across SPL, KQL, and Sigma.

Splunk SPL — WebSocket Pre-Auth RCE via SCC Wrapper

Catching the initial exploitation: bomgar-scc or thin-scc-wrapper spawning shell interpreters should never happen during legitimate WebSocket handshakes.

SPLindex=sysmon OR index=endpoint sourcetype=sysmon OR sourcetype=linux:auditd
(parent_process_name="bomgar-scc" OR parent_process_name="thin-scc-wrapper"
    OR parent_process_path="/opt/bomgar/scc/")
(process_name IN ("bash", "sh", "dash", "python", "python3", "perl", "curl", "wget", "nslookup"))
| eval risk_score=case(
    process_name IN ("bash", "sh", "dash"), 95,
    process_name IN ("python", "python3", "perl"), 90,
    process_name IN ("curl", "wget"), 85,
    process_name="nslookup", 80,
    1=1, 70
)
| stats count AS exec_count values(process_name) AS shells values(process_command_line) AS commands
    earliest(_time) AS first_seen latest(_time) AS last_seen by host, parent_process_name
| where exec_count > 0
| sort -risk_score

Splunk SPL — Admin Hash Swap and Webshell Persistence

Here, we target the 60-second admin takeover and webshell deployment phases.

SPLindex=sysmon OR index=endpoint sourcetype=sysmon OR sourcetype=linux:auditd
(
    (file_path="/opt/bomgar/www/" AND file_name IN ("aws.php", "file_save.php", "maintenance.php"))
    OR (process_command_line="check_auth" AND process_command_line="password")
    OR (process_name="apachectl" AND process_command_line="restart")
    OR (file_path="/opt/bomgar/www/" AND file_extension="php" AND action="created")
)
| eval stage=case(
    match(file_name, "aws\.php|file_save\.php|maintenance\.php"), "webshell_deploy",
    match(process_command_line, "check_auth"), "admin_takeover",
    match(process_command_line, "apachectl.restart"), "config_stomp",
    file_extension="php" AND action="created", "suspicious_php_creation",
    1=1, "unknown"
)
| stats count values(stage) AS attack_stages values(file_path) AS files by host, _time
| where mvcount(attack_stages) > 1

Microsoft KQL — WebSocket RCE with Bash Arithmetic Injection

Correlating network connections to BeyondTrust WebSocket endpoints with subsequent shell process spawning:

KQLlet beyondtrust_parents = dynamic(["bomgar-scc", "thin-scc-wrapper"]);
let suspicious_children = dynamic(["bash", "sh", "dash", "python", "python3", "perl", "curl", "wget", "nslookup"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in (beyondtrust_parents)
    or InitiatingProcessFolderPath contains "/opt/bomgar/scc/"
| where FileName in (suspicious_children)
| extend CommandLine = ProcessCommandLine
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, ProcessId
| join kind=leftouter (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemotePort in (443, 8443, 9443)
    | where RemoteUrl contains "/nw" or RemoteUrl contains "get_portal_info"
    | project NetworkTimestamp = Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl
) on DeviceName
| where NetworkTimestamp between (Timestamp - 5m .. Timestamp)
| project Timestamp, DeviceName, RemoteIP, InitiatingProcessFileName, FileName, CommandLine

Microsoft KQL — OAST DNS Tunneling Exfiltration

DNS tunneling exfiltration via out-of-band application security testing (OAST) infrastructure is noisy if you know where to look.

KQLDeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "DnsQueryResponse"
| extend QueryDomain = tostring(AdditionalFields.DnsQueryString)
| where QueryDomain has_any ("oastify.com", "oast.pro", "oast.fun", "interact.sh", "burpcollaborator.net")
    or (strlen(QueryDomain) > 80 and QueryDomain matches regex @"^[a-f0-9]{20,63}\.")
| project Timestamp, DeviceName, QueryDomain, ProcessId, InitiatingProcessFileName
| summarize QueryCount = count(), UniqueSubdomains = dcount(QueryDomain) by DeviceName, bin(Timestamp, 1h)
| where QueryCount > 5 or UniqueSubdomains > 3

Sigma — PHP Webshell in BeyondTrust Web Directories

PHP files appearing in BeyondTrust web directories — the persistence mechanism used across every observed campaign — trigger this rule.

SIGMAtitle: PHP Webshell Creation in BeyondTrust Web Directories
id: 7c2f9a1e-3d5b-4e8c-9a1f-6b4d2e8c3a5f
status: experimental
description: Detects creation of PHP files in BeyondTrust Remote Support/PRA web directories, indicating webshell deployment following CVE-2026-1731 exploitation
references:
    - https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
    - https://intel.threadlinqs.com/#TL-2026-0124
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.persistence
    - attack.t1505.003
    - cve.2026.1731
logsource:
    category: file_event
    product: linux
detection:
    selection_path:
        TargetFilename|contains:
            - '/opt/bomgar/www/'
            - '/opt/beyondtrust/www/'
    selection_ext:
        TargetFilename|endswith: '.php'
    selection_names:
        TargetFilename|endswith:
            - 'aws.php'
            - 'file_save.php'
            - 'maintenance.php'
    condition: (selection_path and selection_ext) or selection_names
falsepositives:
    - Legitimate BeyondTrust software updates
    - Authorized plugin installations
level: critical

Sigma — BeyondTrust SCC Spawning Shell Interpreters

When the BeyondTrust SCC process spawns unexpected shell processes, something has gone very wrong. That is exactly what this Sigma rule catches.

SIGMAtitle: BeyondTrust SCC Wrapper Spawning Shell Interpreters
id: 4e8b1c3f-6a2d-4f7e-b9c1-5d3a7f2e8b4c
status: experimental
description: Detects bomgar-scc or thin-scc-wrapper spawning shell interpreters, indicating CVE-2026-1731 bash arithmetic injection exploitation
references:
    - https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
    - https://intel.threadlinqs.com/#TL-2026-0124
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059.004
    - cve.2026.1731
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
            - '/bomgar-scc'
            - '/thin-scc-wrapper'
        ParentImage|contains: '/opt/bomgar/'
    selection_child:
        Image|endswith:
            - '/bash'
            - '/sh'
            - '/dash'
            - '/python'
            - '/python3'
            - '/perl'
            - '/curl'
            - '/wget'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate BeyondTrust diagnostic or update operations
level: critical

Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

Palo Alto Unit 42 research documenting VShell and SparkRAT open-source RATs deployed as post-exploitation payloads via BeyondTrust CVE-2026-1731.

Indicators of Compromise

Network Indicators

Type	Indicator	Context
IP	144.172.103[.]200:4444	Meterpreter C2
IP	45.61.150[.]96:4444	Meterpreter C2
IP	138.197.14[.]95	SparkRAT C2 (port 8979)
IP	134.122.13[.]34	SparkRAT C2 (port 8979)
IP	92.223.44[.]134	RAT infrastructure
IP	178.128.212[.]209	Post-exploitation staging
IP	179.43.146[.]42	C2 infrastructure
Domain	aliyundunupdate[.]xyz:8084	VShell C2 download
Domain	oastify[.]com	OAST DNS exfiltration
Domain	oast[.]pro	OAST DNS exfiltration
IP	85.155.186[.]121	SimpleHelp RMM abuse
IP	82.29.53[.]187:8778	Staging server

File Indicators

Type	Indicator	Context
SHA256	9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350	SparkRAT binary
SHA256	98a7b0900a9072bb40af579ec372da7b27af12b15868394df51fefe290ab176b	VShell backdoor
SHA256	98442387d466f27357d727b3706037a4df12a78602b93df973b063462a677761	aws.php webshell
SHA256	66cceb2c2f1d9988b501832fd3b559775982e2fce4ab38fc4ffe71b74eafc726	maintenance.php webshell
SHA256	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce	file_save.php dropper
Filename	aws.php	China Chopper/AntSword webshell
Filename	file_save.php	Config STOMPing dropper
Filename	maintenance.php	Persistence webshell
Filename	blue.drx	Malicious script payload

Behavioral Indicators

• bomgar-scc or thin-scc-wrapper spawning bash/sh/python child processes
• PHP file creation in /opt/bomgar/www/ directories
• Apache restart triggered by non-update processes
• check_auth binary invoked with password arguments
• DNS queries with hex-encoded subdomains exceeding 60 characters to OAST domains
• memfd execution (fileless VShell deployment)
• SimpleHelp or AnyDesk installation on BeyondTrust appliances

Timeline

Date	Event
2024-12-16	Silk Typhoon exploits CVE-2024-12356 to breach US Treasury via same endpoint
2025-03-05	DOJ charges 12 Chinese contract hackers linked to Treasury breach
2026-01-05	GreyNoise observes replay of Treasury breach chain from Polish infrastructure
2026-01-31	CVE-2026-1731 discovered via AI-enabled variant analysis
2026-02-02	BeyondTrust auto-patches SaaS instances
2026-02-06	Advisory BT26-02 publicly disclosed
2026-02-10	Public PoC published on GitHub by win3zz
2026-02-11	GreyNoise detects reconnaissance within 24 hours of PoC
2026-02-13	CISA adds to KEV Catalog with 3-day remediation deadline
2026-02-19	Unit 42 publishes exploitation analysis documenting VShell/SparkRAT
2026-02-21	Threadlinqs Intelligence publishes TL-2026-0124

MITRE ATT&CK Mapping

Tactic	Technique	ID	Context
Initial Access	Exploit Public-Facing Application	T1190	WebSocket bash arithmetic injection
Execution	Unix Shell	T1059.004	Command execution via $(cmd) substitution
Execution	PowerShell	T1059.001	Post-exploitation scripts and Nezha agents
Persistence	Web Shell	T1505.003	aws.php, file_save.php, maintenance.php
Persistence	Account Manipulation	T1098	60-second admin hash swap via check_auth
Persistence	Create Account: Local	T1136.001	Local accounts on compromised appliances
Persistence	Create Account: Domain	T1136.002	AD domain accounts for lateral movement
Privilege Escalation	Valid Accounts: Local	T1078.003	User ID 1 admin takeover
Defense Evasion	File Deletion	T1070.004	Self-destructing Python exploit scripts
Defense Evasion	Masquerading	T1036.005	VShell masquerading as system services
Defense Evasion	Obfuscated Files	T1027	Base64-encoded webshell payloads
Credential Access	Credentials from Stores	T1555	PostgreSQL credential extraction
Discovery	Domain Account Discovery	T1087.002	Active Directory enumeration
Lateral Movement	RDP	T1021.001	Internal network pivoting
C2	Web Protocols	T1071.001	SparkRAT/VShell HTTP C2
C2	DNS	T1071.004	OAST DNS tunneling exfiltration
C2	Protocol Tunneling	T1572	Cloudflare tunnels, Ligolo-ng
C2	Remote Access Software	T1219	SimpleHelp, AnyDesk abuse
Exfiltration	Over C2 Channel	T1041	Database dumps to attacker C2
Exfiltration	Alternative Protocol	T1048.003	DNS-based data exfiltration

Full MITRE ATT&CK mapping: View coverage on Threadlinqs

TL-2026-0124 on Threadlinqs Intelligence — BeyondTrust pre-auth RCE (CVE-2026-1731, CVSS 9.9) with active exploitation, CISA KEV listing, and 9/9 detection coverage.

Recommendations

Patch first. Hunt second. Monitor indefinitely.

1. Patch immediately to Remote Support v25.3.2+ or Privileged Remote Access v25.1.1+. Self-hosted instances require manual update; SaaS instances were auto-patched February 2
2. Block WebSocket access to the /nw endpoint from untrusted sources via WAF or reverse proxy rules. Implement input validation rejecting non-numeric remoteVersion values
3. Hunt for webshells in /opt/bomgar/www/ — specifically aws.php, file_save.php, and maintenance.php. Check Apache configurations for injected Location directives pointing to unexpected Unix sockets
4. Audit User ID 1 password hash for unauthorized modifications. Review admin account login history and session logs for 60-second access windows
5. Monitor DNS egress for hex-encoded subdomain queries to OAST infrastructure (oastify.com, oast.pro, interact.sh). Implement strict egress filtering on appliance outbound connections

References

• VShell and SparkRAT Observed in Exploitation of CVE-2026-1731 — Unit 42/Palo Alto Networks, February 2026
• Reconnaissance Has Begun for the New BeyondTrust RCE — GreyNoise, February 2026
• BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability — The Hacker News, February 2026
• Critical BeyondTrust RCE Flaw Now Exploited in Attacks — BleepingComputer, February 2026
• CVE-2026-1731: BeyondTrust Pre-Auth RCE — Horizon3.ai, February 2026
• ETR: CVE-2026-1731 Critical Unauthenticated RCE — Rapid7, February 2026
• MITRE ATT&CK T1190 - Exploit Public-Facing Application — MITRE
• MITRE ATT&CK T1505.003 - Web Shell — MITRE

---

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0124.