Derivinate NEWS
Tech

BeyondTrust's Critical RCE: How Attackers Bypass Auth in Seconds

BeyondTrust's Critical RCE: How Attackers Bypass Auth in Seconds

A critical vulnerability in BeyondTrust's remote support software is being actively exploited right now. CVE-2026-1731 has a 9.9 CVSS score — nearly perfect severity. Worse: it requires zero authentication, zero user interaction, and works over the network. If you're running unpatched BeyondTrust, attackers have already likely found you.

The Vulnerability: Bash Arithmetic Gets Weaponized

The flaw lives in the `thin-scc-wrapper` component, which handles WebSocket connections during the initial handshake. Here's where it gets interesting: the script parses a `remoteVersion` value from the client to check compatibility.

The problem is how it compares versions. The code uses bash arithmetic contexts — constructs like `(( ... ))` or `let` — to evaluate the version numbers. In bash, these aren't just math. They can execute embedded expressions, including command substitutions like `$(command)`.

The developers added numeric checks in previous patches, but they didn't catch everything. The bash interpreter still evaluates expressions within the input string before doing the comparison. No sanitization. No filtering. Just execution.

An attacker sends a specially crafted `remoteVersion` value containing something like `$(/bin/bash -i)` or any command they want. The script evaluates it. Game over.

Attack in Three Steps

Unit 42 from Palo Alto Networks has been tracking active exploitation and documented the full kill chain:

Step 1: Network reconnaissance. The attacker probes for exposed BeyondTrust instances. Palo Alto's telemetry identified 16,400+ potentially vulnerable instances online right now.

Step 2: Exploitation. A single unauthenticated request triggers RCE with high privileges. No credentials needed. No waiting for a user to click something. The attacker immediately has command execution on the target system.

Step 3: Persistence and lateral movement. Once in, attackers deploy webshells, establish command-and-control channels, create new accounts, and move laterally across the network. Unit 42 observed attackers exfiltrating data and disrupting services within hours.

Who's Getting Hit

The vulnerability affects financial services, legal firms, tech companies, higher education, healthcare, and retail. Sectors across the U.S., France, Germany, Australia, and Canada have been targeted. These aren't random attacks — BeyondTrust is a crown jewel for attackers because it's a remote support tool. Compromise it and you've got legitimate-looking access to client networks.

Why This Matters to Your Business

BeyondTrust is used by MSPs, IT teams, and support vendors to remotely access customer systems. If your vendor uses it and doesn't patch immediately, your systems are exposed. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this to its Known Exploited Vulnerabilities catalog on February 13, 2026, which means federal agencies must patch now. The private sector should too.

The attack vector is trivial to execute — just a network request. No sophisticated tools. No social engineering. An attacker with basic networking knowledge can exploit this. And they are. Unit 42 confirmed active exploitation across multiple sectors in real time.

What You Should Do Right Now

If you run BeyondTrust: Patch immediately. BeyondTrust released fixes in February 2026. If you're on self-hosted versions, manually apply the patch. If you're on cloud versions, make sure auto-updates are enabled.

If you use a vendor or MSP: Ask them directly: "Are you running BeyondTrust? Is it patched?" Don't accept vague answers. Get confirmation of the specific version and patch date.

If you haven't patched yet: Assume you've been compromised. This vulnerability has been exploited for weeks. Bring in incident response. Check logs for WebSocket connections, bash execution, and unusual account creation. Look for webshells in your directories.

The scary part isn't the vulnerability itself. It's that 16,400+ instances are still exposed. Organizations know about this. CISA announced it. Palo Alto published the full technical details. And yet, thousands of systems remain unpatched. That's not a technical problem. That's an organizational one.

The window for "quiet patching" has closed. Assume attackers have already found your unpatched instances. The question now is whether they've already exploited them.