{"id":189194,"date":"2026-02-20T12:10:00","date_gmt":"2026-02-20T17:10:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/20\/beyondtrust-remote-support-exploitation-ramps-up-with-backdoors-remote-tools\/"},"modified":"2026-02-20T12:30:11","modified_gmt":"2026-02-20T17:30:11","slug":"beyondtrust-remote-support-exploitation-ramps-up-with-backdoors-remote-tools","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/20\/beyondtrust-remote-support-exploitation-ramps-up-with-backdoors-remote-tools\/","title":{"rendered":"BeyondTrust Remote Support exploitation ramps up with backdoors, remote tools"},"content":{"rendered":"

BeyondTrust Remote Support exploitation ramps up with backdoors, remote tools<\/a><\/p>\n

https:\/\/www.cybersecuritydive.com\/news\/beyondtrust-remote-support-exploitation-backdoors-remote-tools\/812707\/<\/a><\/p>\n

Publish Date: 2026-02-20 12:10:00<\/a><\/p>\n

Source Domain: www.cybersecuritydive.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SpartRAT and vShell backdoors and using remote management tools to conduct reconnaissance, according to a blog post released Thursday by Palo Alto Networks\u2019 Unit 42.\u00a0
\nMultiple BeyondTrust Remote Support users have been confirmed targets, and a range of industries have been impacted, including financial services, technology, higher education, legal services and healthcare among others.\u00a0
\nThe vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access.\u00a0
\nThe flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.\u00a0<\/p>\n

GreyNoise researchers warned late last week that reconnaissance activity had begun targeting the vulnerability. The flaw is a variant of CVE-2024-12356, which was linked to the December 2024 hack of the U.S. Treasury Department by Silk Typhoon, a state-linked actor backed by China.\u00a0
\nResearchers from VulnCheck said the rise in exploitation activity is not surprising given that details of the flaw and exploit code are publicly available.\u00a0
\n\u201cThe vulnerable products are designed to enable remote access, which makes them an appealing attack target for both state-sponsored attackers looking to gain persistent access to corporate networks and financially motivated groups looking for new initial access opportunities,\u201d said Caitlin Condon, vice president of research at VulnCheck.\u00a0
\nVulnCheck researchers estimate between 4,000 and 10,000 systems are potentially vulnerable, depending on the system used for observation.\u00a0
\nBeyondTrust previously confirmed support for a limited number of affected customers and applying patches on Feb. 2 to SaaS customers. Self-hosted customers were urged to apply patches manually if they hadn\u2019t set up automated updates.\u00a0
\nThe Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog a week ago.\u00a0
\nResearchers from Defused report what appears to be threat activity from initial access brokers, as hackers are dropping scripts used for heavy enumerations of targeted environments, according to CEO Simo Kohonen.\u00a0
\nUnit 42 researchers report seeing hackers attempt to install remote management tools such as SimpleHelp and AnyDesk as well as tunnelling tools such as Cloudflare. They have also confirmed seeing data theft.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

BeyondTrust Remote Support exploitation ramps up with backdoors, remote tools https:\/\/www.cybersecuritydive.com\/news\/beyondtrust-remote-support-exploitation-backdoors-remote-tools\/812707\/ Publish Date: 2026-02-20 12:10:00…<\/p>\n","protected":false},"author":1,"featured_media":189195,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/S0V-I9mq6aPhwoeuMzD9nLtfFLne8Nl9XKRSau8enI0\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0xMzMxOTQzOTU4LmpwZw==.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-189194","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/189194"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=189194"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/189194\/revisions"}],"predecessor-version":[{"id":189196,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/189194\/revisions\/189196"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/189195"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=189194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=189194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=189194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}