VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Posted on February 27, 2026
Palo Alto Networks

Executive Summary

On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731. BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthorized access, data exfiltration and service disruption.

Due to the severity of the risk and confirmed active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2026. This addition mandated immediate remediation for federal agencies and signaled urgent prioritization for the private sector.

Unit 42 has observed the deployment of several backdoors, such as SparkRAT and VShell, during active exploitation in the wild. Additionally, we’ve observed the use of PowerShell scripts and reverse shells attempting connections to infrastructure consistent with the default Metasploit Meterpreter over port 4444.

Deep Dive

Unit 42 is actively investigating exploitation of this vulnerability and has observed attacker activity consistent with the following:

Network reconnaissance and account creation
Webshell deployment
Command-and-control (C2) traffic
Backdoor and remote management tool deployment
Lateral movement
Data theft

At the time of publication, Palo Alto Networks Cortex Xpanse has identified the presence of 16,400-plus exposed instances vulnerable to CVE-2026-1731 based on our telemetry.

The campaign tracked by Unit 42 has so far affected the following sectors in the U.S., France, Germany, Australia and Canada:

Financial services
Legal services
High technology
Higher education
Wholesale and retail
Healthcare

Retail and Hospitality Perspective

As mentioned above, Unit 42 observed this exploitation activity targeting the wholesale and retail sector. Given our observations of data theft and CISA’s acknowledgement of related activity leading to ransomware deployment, RH-ISAC members should patch affected systems ASAP and maintain increased vigilance for the post-exploitation behaviors listed in this blog.

Indicators of Compromise

https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

Middle East Conflict Cyber Threat Landscape and Defensive Options for Retail, Hospitality, and Travel Organizations

Executive Summary In late February 2026, the United States and Israel launched joint airstrikes against a wide array of facilities in Iran. Retaliatory strikes have

What’s Driving Security and Fraud Teams to Collaborate on Trust Platforms

Threat Actors Leverage Brand Impersonation for Rewards Fraud, Credential Harvesting Campaigns, and Online Gambling Platforms

Summary Threat actors increasingly leverage airline brand impersonation to facilitate sophisticated reward fraud and illicit online gambling schemes, according to a report published by Help Net

Phishing on the Edge of the Web and Mobile Using QR Codes

Executive Summary With QR codes having a notable presence in our everyday lives, some people instinctively scan them without hesitation. But QR codes are also