"The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user. In a report published Thursday, Palo Alto Networks Unit 42 said it detected the security flaw being actively exploited in the wild for network reconnaissance, web shell deployment, command-and-control (C2), backdoor and remote management tool installs, lateral movement, and data theft."
"The cybersecurity company described the vulnerability as a case of sanitization failure that enables an attacker to leverage the affected "thin-scc-wrapper" script that's reachable via WebSocket interface to inject and execute arbitrary shell commands in the context of the site user. "While this account is distinct from the root user, compromising it effectively grants the attacker control over the appliance's configuration, managed sessions and network traffic," security researcher Justin Moore said."
"The current scope of attacks exploiting the flaw range from reconnaissance to backdoor deployment - Using a custom Python script to gain access to an administrative account. Installing multiple web shells across directories, including a PHP backdoor that's capable of executing raw PHP code or running arbitrary PHP code without writing new files to disk, as well as a bash dropper that establishes a persistent web shell. Deploying malware such as VShell and Spark RAT."
Threat actors actively exploit a critical BeyondTrust RS/PRA vulnerability (CVE-2026-1731, CVSS 9.9) to execute operating system commands as the site user. Exploitation supports network reconnaissance, web shell deployment, command-and-control, backdoors, remote management tool installs, lateral movement, and data theft across multiple sectors and countries. The flaw stems from a sanitization failure in the thin-scc-wrapper script accessible via a WebSocket interface, allowing arbitrary shell command injection. Compromise of the site user account grants control over appliance configuration, managed sessions, and network traffic. Attackers employ custom Python scripts, PHP and bash web shells, VShell, Spark RAT, and OAST validation techniques.
#cve-2026-1731 #beyondtrust-remote-support #remote-code-execution #web-shell-deployment #vshell-and-spark-rat
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]