Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

BeyondTrust Remote Support exploitation ramps up with backdoors, remote tools

Researchers warn that thousands of instances may still be vulnerable to exploitation activity.

Published Feb. 20, 2026
David Jones's headshot
Reporter
A depiction of computer hardware.
Getty Images

A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SpartRAT and vShell backdoors and using remote management tools to conduct reconnaissance, according to a blog post released Thursday by Palo Alto Networks’ Unit 42. 

Multiple BeyondTrust Remote Support users have been confirmed targets, and a range of industries have been impacted, including financial services, technology, higher education, legal services and healthcare among others. 

The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. 

The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction. 

GreyNoise researchers warned late last week that reconnaissance activity had begun targeting the vulnerability. The flaw is a variant of CVE-2024-12356, which was linked to the December 2024 hack of the U.S. Treasury Department by Silk Typhoon, a state-linked actor backed by China. 

Researchers from VulnCheck said the rise in exploitation activity is not surprising given that details of the flaw and exploit code are publicly available. 

“The vulnerable products are designed to enable remote access, which makes them an appealing attack target for both state-sponsored attackers looking to gain persistent access to corporate networks and financially motivated groups looking for new initial access opportunities,” said Caitlin Condon, vice president of research at VulnCheck. 

VulnCheck researchers estimate between 4,000 and 10,000 systems are potentially vulnerable, depending on the system used for observation. 

BeyondTrust previously confirmed support for a limited number of affected customers and applying patches on Feb. 2 to SaaS customers. Self-hosted customers were urged to apply patches manually if they hadn’t set up automated updates. 

The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog a week ago. 

Researchers from Defused report what appears to be threat activity from initial access brokers, as hackers are dropping scripts used for heavy enumerations of targeted environments, according to CEO Simo Kohonen. 

Unit 42 researchers report seeing hackers attempt to install remote management tools such as SimpleHelp and AnyDesk as well as tunnelling tools such as Cloudflare. They have also confirmed seeing data theft.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
100 Telcos, 1.6 Billion Users, 700 % Growth – Whalebone to Become the Fastest-Growing Cybersec…
From Whalebone
February 09, 2026
Whalebone logo
EC-Council Expands AI Certification Portfolio to Strengthen U.S. AI Workforce Readiness and Se…
From EC-Council
February 11, 2026
EC-Council logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell