VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Essential information
- Published
- 20/02/2026 00:28
- Modified
- 20/02/2026 13:14
- Tags
- 2026-02-20 CVE-2026-1731 beyondtrust data theft lateral movement remote code execution sparkrat vshell webshell
- Related entities
- 1 vulnerabilities (cve), 14 observables, 11 techniques (mitre), 2 malware, 17 others
Description
A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.