{"id":216907,"date":"2026-02-20T10:45:00","date_gmt":"2026-02-20T15:45:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/20\/beyondtrust-flaw-used-for-web-shells-backdoors-and-data-exfiltration\/"},"modified":"2026-02-24T09:25:08","modified_gmt":"2026-02-24T14:25:08","slug":"beyondtrust-flaw-used-for-web-shells-backdoors-and-data-exfiltration","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/20\/beyondtrust-flaw-used-for-web-shells-backdoors-and-data-exfiltration\/","title":{"rendered":"BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration"},"content":{"rendered":"

BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/02\/beyondtrust-flaw-used-for-web-shells.html<\/a><\/p>\n

Publish Date: 2026-02-20 10:45:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Feb 20, 2026<\/span><\/span>Vulnerability \/ Cyber Attack<\/span><\/p>\n

Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying VShell and\u00a0<\/p>\n

The vulnerability, tracked as CVE-2026-1731<\/strong> (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user.<\/p>\n

In a report published Thursday, Palo Alto Networks Unit 42 said it detected the security flaw being actively exploited in the wild for network reconnaissance, web shell deployment, command-and-control (C2), backdoor and remote management tool installs, lateral movement, and data theft.<\/p>\n

The campaign has targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada.<\/p>\n

The cybersecurity company described the vulnerability as a case of sanitization failure that enables an attacker to leverage the affected “thin-scc-wrapper” script that’s reachable via WebSocket interface to inject and execute arbitrary shell commands in the context of the site user.<\/p>\n

“While this account is distinct from the root user, compromising it effectively grants the attacker control over the appliance’s configuration, managed sessions and network traffic,” security researcher Justin Moore said.<\/p>\n

\"\"<\/p>\n

The current scope of attacks exploiting the flaw range from reconnaissance to backdoor deployment –<\/p>\n