CVE-2026-1731: Pre-Authentication Command Injection in BeyondTrust Remote Support and Privileged Remote Access

By bypassing common/oauth2/authorize logic, threat actors can force the instantiation of arbitrary classes, resulting in system-level command execution under service account privileges. Unlike traditional buffer overflows, this vulnerability leverages legitimate application logic to achieve persistence, rendering it largely invisible to standard signature-based Web Application Firewalls (WAFs).

A downstream risk involves the BeyondTrust Jumpoint as they facilitate the "outbound-only" connection from internal network segments to the appliance. If the central appliance is compromised via CVE-2026-1731, the attacker effectively gains control over the "command and control" hub for all connected Jumpoints.  

While the primary RCE vulnerability exists on the B-Series Appliance itself, the Jumpoint acts as the execution arm for administrative tasks; if the appliance is compromised, it can push malicious instructions to an outdated or unmanaged Jumpoint. These typically update automatically once the primary appliance is patched. However verify that the Jumpoint version matches the appliance's build. For the BT26-02 security cycle, your Jumpoints should ideally be at version 25.3.x (for Remote Support) or 25.1.x (for Privileged Remote Access) to maintain security parity.

‍

Technical Analysis

The vulnerability centers on the WebSocket handshake process used to maintain real-time communication with Jump Clients. Analysis indicates the core defect exists within the thin-scc-wrapper script located in the $BG_app_root/app/ directory, which facilitates Secure Communication Channels (SCC).

Attackers send crafted requests containing shell metacharacters within parameters passed to unsensitised system calls in the wrapper. While initial reconnaissance may involve benign functions like get_portal_info, the gathered data is used to format a terminal WebSocket payload that triggers the injection.

Execution occurs as the "site user" a service account that, while non-privileged in the Linux environment, possesses the permissions necessary to manage the web portal, facilitate session handoffs, and interact with internal databases.

‍

Attack Chain

1. Reconnaissance & Initiation: Identifying internet-facing instances and sending a WebSocket upgrade request to the vulnerable endpoint.

2. Injection & Verification: Embedding the payload into the stream, often verified via Out-of-Band (OAST) DNS callbacks to attacker-controlled domains.

3. Persistence: Injecting SSH public keys into /home/site_user/.ssh/authorized_keys or deploying minimal web shells in the portal directory.

4. Lateral Movement via Living-off-the-Land: Using the trusted status of the appliance to bypass internal firewalls and EDR, launching secondary attacks against domain controllers and internal databases.

‍

Remediation & Patch Guidance

Cloud/SaaS instances were automatically remediated on February 2, 2026. Self-hosted customers must prioritise the following:

‍

Recommendations

• Patch and Inventory: Identify all RS and PRA instances. Apply patches immediately
• Strict Access Control: Implement firewall allow-lists or VPN-only requirements to restrict access to the /appliance and support portals to trusted IP ranges. ‍
• Endpoint Correlation: Monitor Jump Client activity on internal servers; any administrative action must be correlated with a verified, approved support session in the logs. ‍
• Log Hunting: Search for unusual sub-processes spawned by the Java-based management service or modifications to the site_user directory.