A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance, according to a blog post released Thursday by Palo Alto Networks’ Unit 42.
Multiple BeyondTrust Remote Support users have been confirmed targets, and a range of industries have been impacted, including financial services, technology, higher education, legal services and healthcare among others.
The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access.
The flaw was originally discovered by researchers at Hacktron and disclosed to BeyondTrust.
The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.
Researchers said the attacks show a range of objectives in what these various threat groups are trying to achieve.
“We aren't seeing just one motive,” Justin Moore, senior manager, Unit 42 at Palo Alto Networks told Cybersecurity Dive. “We’re seeing a massive race where attackers try to capitalize on the window of time between a vulnerability being found and a patch being installed.
Unit 42 has identified about a dozen cases where there are either confirmed compromises or high confidence evidence of unauthorized intrusion, Moore said.
GreyNoise researchers warned late last week that reconnaissance activity had begun targeting the vulnerability. The flaw is a variant of CVE-2024-12356, which was linked to the December 2024 hack of the U.S. Treasury Department by Silk Typhoon, a state-linked actor backed by China.
Researchers from VulnCheck said the rise in exploitation activity is not surprising given that details of the flaw and exploit code are publicly available.
“The vulnerable products are designed to enable remote access, which makes them an appealing attack target for both state-sponsored attackers looking to gain persistent access to corporate networks and financially motivated groups looking for new initial access opportunities,” said Caitlin Condon, vice president of research at VulnCheck.
VulnCheck researchers estimate between 4,000 and 10,000 systems are potentially vulnerable, depending on the system used for observation.
BeyondTrust previously confirmed support for a limited number of affected customers and applying patches on Feb. 2 to SaaS customers. Self-hosted customers were urged to apply patches manually if they hadn’t set up automated updates.
The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog a week ago.
Researchers from Defused report what appears to be threat activity from initial access brokers, as hackers are dropping scripts used for heavy enumerations of targeted environments, according to CEO Simo Kohonen.
Unit 42 researchers report seeing hackers attempt to install remote management tools such as SimpleHelp and AnyDesk as well as tunneling tools such as Cloudflare. They have also confirmed seeing data theft.
Editor’s note: Updates with comment from Palo Alto Networks Unit 42 researchers and information from Hacktron.
