CISA updated its Known Exploited Vulnerabilities catalog to flag CVE-2026-1731 — a critical unauthenticated remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access — after a public proof‑of‑concept led to in‑the‑wild exploitation and use in ransomware campaigns. Security firms and trackers including Palo Alto Networks, SecureCyber, and GreyNoise have observed reconnaissance, lateral movement, data theft, web shells, and delivery of payloads such as SparkRAT and the VShell Linux backdoor across multiple sectors and countries. #CVE-2026-1731 #BeyondTrust
Keypoints
- CISA added CVE-2026-1731 to its KEV catalog on February 13 and instructed federal agencies to remediate by February 16.
- A proof‑of‑concept posted on February 10 led to exploitation within 24 hours.
- There are no public reports tying the exploitation to specific ransomware groups yet.
- Palo Alto Networks observed reconnaissance, lateral movement, web shells, and delivery of SparkRAT and the VShell Linux backdoor.
- Attacks have targeted financial services, high‑tech, healthcare, higher education, legal services, and retail across the US, Canada, Australia, Germany, and France.
Read More: https://www.securityweek.com/beyondtrust-vulnerability-exploited-in-ransomware-attacks/