China-sponsored threat groups like Salt Typhoon and Flax Typhoon are increasingly relying on multiple massive botnets comprising edge and IoT devices to run their cyber espionage and network intrusion campaigns, CISA and other security agencies say. The use of such "covert networks" makes it more difficult to detect and mitigate their campaigns.

The post China-Backed Groups are Using Massive Botnets in Espionage, Intrusion Campaigns appeared first on Security Boulevard.

While companies use "perp walks" for terminated employees, 48% of manufacturers fail to revoke digital access within 24 hours. Explore the growing risk of dormant accounts, the 74% automation gap in provisioning, and why experts like Darren Guccione and James Maude call overprivileged identities a "frictionless path" for modern cyberattacks.

The post Dormant Accounts Leave Manufacturing Orgs Open to Attack  appeared first on Security Boulevard.

Attackers are exploiting CVE-2026-1731 in BeyondTrust RS and PRA to deploy VShell, gain persistence, move laterally, and control compromised systems.

Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).

The flaw is being used to conduct a wide range of malicious activities, including deploying VShell and other tools to gain persistence, move laterally, and maintain remote control over compromised systems.

Recenlty, BeyondTrust released security updates to address the critical flaw in its Remote Support and older Privileged Remote Access products. The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in. The issue, disclosed on February 6, 2026, could lead to full remote code execution if exploited, making the updates essential to prevent abuse.

“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability.” reads the advisory. “By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”

Exploiting the flaw would let a remote attacker run system commands without authentication or user interaction, potentially leading to full system compromise, data theft, and service disruption.

BeyondTrust released patches for CVE-2026-1731 on February 6 after Hacktron researchers warned that about thousands of instances were exposed online.

Hacktron AI team reported that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments. Around 8,500 of these are on-prem systems and could remain vulnerable if not patched. The affected deployments are mainly used by large organizations, including enterprises in healthcare, financial services, government, and hospitality sectors.

After a PoC exploit went public on February 10, GreyNoise detected attack attempts within 24 hours, with one IP responsible for most reconnaissance activity.

In a new report, Palo Alto Networks Unit 42 confirmed the flaw is being actively exploited for reconnaissance, web shell deployment, C2 activity, backdoor installation, lateral movement, and data theft. The campaign has hit multiple sectors, including finance, legal, tech, education, retail, and healthcare, across the U.S., France, Germany, Australia, and Canada.

Threat actors used a custom Python script to briefly hijack the main admin account (User ID 1) for 60 seconds.

“The Python script functions by querying the target’s database to back up the existing password hash for the primary administrator (User ID 1). It leverages the application’s own authentication binary (check_auth) to generate a valid hash for the password string password and injects the hash into the database.” reads the report published by Palo Alto Networks.

The script backed up the original password hash, generated a valid one for a known password, injected it into the database, then restored the original hash and deleted itself—minimizing traces and evading detection.

Unit 42 observed attackers deploying multiple web shells, including one-line, password-protected PHP backdoors that execute Base64-encoded commands via eval() without writing extra files. The researchers spotted the usage of a more advanced shell (aws.php) that acted as a stealth C2 gate, echoing markers linked to tools like China Chopper. A bash dropper used “config STOMPing” to persist by loading a malicious Apache configuration into memory while keeping disk files clean.

The campaign also leveraged SparkRAT, VShell, PowerShell downloaders, a multi-method Linux “download-and-execute” cradle, and attempted Meterpreter reverse shells over port 4444.

Recently, the Cybersecurity and Infrastructure Security Agency warned that CVE-2026-1731 has been actively exploited in ransomware campaigns, prompting a revision of its KEV catalog entry.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-1731)

Attackers quickly targeted BeyondTrust flaw CVE-2026-1731 after a PoC was released, enabling unauthenticated remote code execution.

Threat actors rapidly began exploiting a newly patched BeyondTrust vulnerability, tracked as CVE-2026-1731 (CVSS score of 9.9), soon after a proof-of-concept exploit became public.

This week BeyondTrust released security updates to address the critical flaw in its Remote Support and older Privileged Remote Access products. The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in. The issue, disclosed on February 6, 2026, could lead to full remote code execution if exploited, making the updates essential to prevent abuse.

“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability.” reads the advisory. “By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”

Exploiting the flaw would let a remote attacker run system commands without authentication or user interaction, potentially leading to full system compromise, data theft, and service disruption.

”Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user.” continues the advisory. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

BeyondTrust released patches for CVE-2026-1731 on February 6 after Hacktron researchers warned that about thousands of instances were exposed online.

Hacktron AI team reported that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments. Around 8,500 of these are on-prem systems and could remain vulnerable if not patched. The affected deployments are mainly used by large organizations, including enterprises in healthcare, financial services, government, and hospitality sectors.

After a PoC exploit went public on February 10, GreyNoise detected attack attempts within 24 hours, with one IP responsible for most reconnaissance activity.

“On February 10, a proof-of-concept exploit for CVE-2026-1731, a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access, was posted to GitHub. By February 11, GreyNoise’s Global Observation Grid was recording reconnaissance probing for vulnerable BeyondTrust instances.” reported GreyNoise.

GreyNoise observed rapid reconnaissance for CVE-2026-1731, led by a single IP responsible for 86% of scans. The activity comes from a long-running scanning operation using a commercial VPN and Linux-based tooling. Threat actors mainly probe non-standard ports, suggesting they know enterprises move BeyondTrust services off 443. JA4+ fingerprints show shared exploit tools and VPN tunneling.

The same IPs also target SonicWall, MOVEit, Log4j, Sophos, SSH, and IoT devices, showing multi-exploit behavior. BeyondTrust tools are high-value targets, and past zero-day chains remain active even as new variants quickly emerge.

“The IPs performing reconnaissance for CVE-2026-1731 aren’t single-purpose. While their BeyondTrust activity is a check (enumeration), their GreyNoise profiles show they’re simultaneously conducting active exploitation attempts against other products: SonicWall, MOVEit Transfer, Log4j, Sophos firewalls, SSH brute-forcing, and IoT default-credential testing.” concludes the report. “Some IPs are even using out-of-band callback domains (OAST), a more sophisticated technique to confirm vulnerability before delivering payloads.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-1731)

BeyondTrust patched a critical pre-auth flaw in Remote Support and PRA that could let attackers execute code remotely.

BeyondTrust released security updates to address a critical flaw, tracked as CVE-2026-1731 (CVSS score of 9.9), in its Remote Support and older Privileged Remote Access products. The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in. The issue, disclosed on February 6, 2026, could lead to full remote code execution if exploited, making the updates essential to prevent abuse.

“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability.” reads the advisory. “By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”

Exploiting the flaw would let a remote attacker run system commands without authentication or user interaction, potentially leading to full system compromise, data theft, and service disruption.

” Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user.” continues the advisory. “Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.”

The vulnerability impacts:

• Remote Support versions 25.3.1 and prior
• Privileged Remote Access versions 24.3.4 and prior

Below are the fixed software versions:

Harsh Jaiswal and the Hacktron AI team reported the vulnerability.

SaaS customers were automatically protected, as the fix was deployed to all Remote Support and Privileged Remote Access cloud environments on February 2, 2026.

For self-hosted deployments, administrators must manually install the patch if automatic updates are not enabled. Systems running older versions must first upgrade to a supported release before applying the fix. In particular, PRA self-hosted customers can resolve the flaw by upgrading to version 25.1.1 or later.

Hacktron AI team reported that roughly 11,000 BeyondTrust Remote Support instances are exposed online across cloud and on-prem environments. Around 8,500 of these are on-prem systems and could remain vulnerable if not patched. The affected deployments are mainly used by large organizations, including enterprises in healthcare, financial services, government, and hospitality sectors.

“At this time, we are withholding technical details to allow affected parties sufficient time to apply patches. We strongly recommend addressing this vulnerability promptly, as exploitation is straightforward.” wrote Hacktron.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)