Meta News

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Summary: Unit 42 reported observing VShell and SparkRAT being used in the exploitation of a critical remote code execution vulnerability (CVE-2026-1731) within BeyondTrust's remote support software.

On February 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731, an unauthenticated remote code execution issue within their remote support software. The vulnerability allows attackers to execute operating system commands with high privileges, potentially leading to unauthorized access and data exfiltration.

Unit 42 has observed attackers leveraging this vulnerability through network reconnaissance, webshell deployment, command-and-control traffic, backdoor and remote management tool installation, lateral movement, and data theft across multiple sectors including financial services, legal services, high technology, higher education, wholesale and retail, and healthcare. The U.S. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2026.

Palo Alto Networks' Cortex Xpanse has identified over 16,400 potentially vulnerable instances based on telemetry data. Customers are advised to manually patch any unpatched instances and engage Palo Alto Networks’ Incident Response team for assessments.

Key facts

  • Attackers used VShell and SparkRAT to exploit CVE-2026-1731.
  • The vulnerability is a pre-authenticated remote code execution issue in BeyondTrust's remote support software.
  • It has been assigned a CVSS score of 9.9, reflecting its critical severity.
  • U.S. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2026.

Why it matters

The exploitation of CVE-2026-1731 by VShell and SparkRAT highlights the critical need for immediate remediation across sectors, as this vulnerability poses a significant risk to system integrity and confidentiality. The U.S. CISA's inclusion in the KEV Catalog underscores the urgency for both federal agencies and private sector organizations to prioritize mitigation efforts.

Key metrics

  • Potentially vulnerable instances identified: 16400+ (Palo Alto Networks' Cortex Xpanse telemetry data)
Tags:
VShell SparkRAT BeyondTrust CVE-2026-1731 remote code execution critical vulnerability

Structured details

  • Location: United States, France, Germany, Australia, Canada
  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source

Source: https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/

Published on