BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.

The fix for CVE-2026-1731 is a regex gate: [[ ! "$remoteVersion" =~ ^[0-9]{1,2}$ ]]. Input validation that checks whether a version string is actually a number. That’s it. That’s what was missing. On a product that serves 75% of the Fortune 500 and handles privileged access to production systems, the WebSocket endpoint was passing user input straight into a Bash arithmetic evaluation without checking if it contained shell metacharacters.

Harsh Jaiswal of Hacktron AI found it by doing exactly what you’d expect someone to do after CVE-2024-12356: he looked at the December 2024 fix, asked whether the same pattern existed elsewhere in the codebase, and it did. Same endpoint family. Same bug class. Fifteen months later.

The patch has been available since February 6. If you’re reading this in May and haven’t applied it, the “What you need to do” section is below. The rest of this piece is about why BeyondTrust keeps showing up here.

What happened

BeyondTrust published advisory BT26-02 on February 6, disclosing CVE-2026-1731, an OS command injection (CWE-78) in the thin-scc-wrapper script used by both Remote Support and Privileged Remote Access. CVSS 9.8 (v3.1), 9.9 (v4.0). No authentication, no user interaction. The vulnerability sits in a Bash arithmetic evaluation triggered during the WebSocket handshake. An attacker sends a crafted remoteVersion parameter, something like a[$(id)]0, and the -lt comparison operator forces Bash to evaluate the embedded command. Connect to the WebSocket endpoint, send the right subprotocol header (ingredi support desk customer thin) and an X-Ns-Company header, and your payload executes as the appliance’s “site user.”

Not root. But the site user controls appliance configuration, active sessions, and the credential vault. Every privileged session flowing through the appliance belongs to whoever owns that account.

BeyondTrust auto-patched SaaS instances on February 2, four days before the public advisory. On-prem customers needed to apply the patch manually. By February 10, a public PoC was circulating. By February 12, Arctic Wolf and watchTowr confirmed mass exploitation. CISA added it to the KEV catalog on February 13 with a 3-day remediation deadline, not the standard two to three weeks.

Why this one matters more than the CVSS score suggests

BeyondTrust RS and PRA are not edge systems you can isolate. They’re often the only approved path for privileged access to production servers and the mechanism your contractors use to reach internal resources. When the appliance is compromised, the attacker inherits the trust model you built around it. That’s not a theoretical concern; it’s the documented post-exploitation chain.

Unit 42 detailed what happens after initial access. Attackers deployed VShell, a fileless Linux backdoor, and SparkRAT, a Go-based remote access trojan previously linked to the DragonSpark campaign. They installed SimpleHelp RMM for persistence, dumped PostgreSQL databases, and moved laterally via PSExec and Impacket toward Domain Admin. A custom Python script hijacked the admin account (User ID 1) for 60-second windows and self-deleted after each use. Sophisticated enough to suggest this wasn’t their first time through a BeyondTrust appliance.

H-ISAC reported victims across financial services, healthcare, legal, education, tech, and retail in the US, Canada, Australia, Germany, and France. CISA confirmed ransomware use, though no specific group has been named publicly. GreyNoise observed that a single IP address accounted for 86% of scanning traffic, which suggests a focused actor, not opportunistic spraying.

Censys counted roughly 16,400 exposed instances at peak, with about 8,500 on-prem.

The repeat-target problem

This is the third critical vulnerability in BeyondTrust RS/PRA in 15 months. CVE-2024-12356 (CVSS 9.8) in December 2024 was a command injection on the same WebSocket endpoint, different code path. CVE-2024-12686 (CVSS 6.6) was a privilege escalation found during forensic investigation of the first. Silk Typhoon (APT27) used both to breach the US Treasury, accessing roughly 3,000 files across 100 workstations and impacting 17 BeyondTrust customers.

Three critical CVEs in the same product, on the same endpoint family, in just over a year. The December 2024 fix addressed one code path; it did not audit the surrounding codebase for the same pattern. A researcher with AI tooling asked the obvious follow-up question and found the answer in days. You have to wonder who else asked it first and didn’t file a report.

If you’re running this product, your patching cadence for these appliances needs to be measured in days, not maintenance windows.

What you need to do

Check your version. Remote Support needs to be on 25.3.2 or later. PRA needs to be on 25.1.1 or later. If you’re on RS older than 21.3 or PRA older than 22.1, you can’t apply the patch directly; you need a full version upgrade first. Open a Sev 1 ticket with BeyondTrust.

Cloud customers: BeyondTrust auto-patched SaaS instances on February 2. Verify your version in the admin console. If you see RS 25.3.2+ or PRA 25.1.1+, you’re covered.

On-prem customers: Apply the patch via the /appliance management interface. The packages are named BT26-02-RS and BT26-02-PRA. Downtime is measured in minutes (rolling restart), but plan your break-glass access procedure first. If BeyondTrust is your only path into production systems and the appliance goes down mid-patch, you need an alternate way in before you start.

Network controls, regardless of patch status: Put the appliance behind VPN or ZTNA with IP allowlisting. Restrict all ports, not just 443. The WebSocket endpoint that this vulnerability targets is reachable on the same port as the web interface.

Detection indicators if you were exposed before patching: Look for net user /add commands in audit logs, unexpected .php files in /var/www, Go binaries spawned from Bash, Impacket SMBv2/PSExec lateral movement patterns, and $( or [ characters in WebSocket remoteVersion log entries. BeyondTrust also offers a “CVE-2026-1731 Rapid Response” test in their customer portal.

The window

The patch has been available for three months. The exploitation is confirmed, the ransomware use is confirmed, and the post-exploitation tooling is sophisticated. There is no workaround. Patching is the only remediation.

If you patched in February, check your network controls and detection coverage for the indicators above. If you haven’t patched, the conversation about scheduling a maintenance window ended about 12 weeks ago. This is now an incident response question: are you compromised, and how fast can you close the door?

PatchDay Alert flagged this vulnerability the day it hit the KEV catalog. Three months later, with roughly 8,500 on-prem instances exposed at peak, some of those appliances are still unpatched. The gap between “advisory published” and “patch applied” is where every one of these breaches lives.