VShell and SparkRAT Observed in Exploitation of BeyondTrust ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/
• Blog Title: VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
• Suggested Section: Pentesting Web -> Command Injection (bash arithmetic evaluation / WebSocket-handshake parameter injection) and/or Network Services Pentesting -> 80,443 - Pentesting Web (WebSockets). Also consider adding the persistence technique under Linux Post-Exploitation or Webshells/Persistence notes (Apache config STOMPing).

🎯 Content Summary

Title / Context
Unit 42 analyzed in-the-wild exploitation of CVE-2026-1731 affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). BeyondTrust published advisory BT26-02 on Feb 6, 2026; Unit 42 published this post on Feb 19, 2026. The bug is a pre-auth remote code execution that allows attackers to execute operating system commands as the appliance “site user” (not root, but sufficiently privileged to...

🔧 Technical Details

Pre-auth WebSocket RCE via bash arithmetic evaluation of a client version field:
If a network-reachable WebSocket handler passes a client-controlled “version” parameter (e.g., remoteVersion) into bash arithmetic contexts like (( ... )) or let, and validation is not strict, attackers can inject bash expressions containing command substitution (e.g., $(command)). Because bash evaluates expansions during arithmetic processing, a payload shaped like a[$(cmd)]0 can trigger command execution while the script is “just” comparing versions, resulting in unauthenticated OS command execution.

Ephemeral admin takeover by swapping password hashes using the application’s own hashing utility:
After gaining code execution, attackers can minimize artifacts by (1) reading and backing up the admin user’s existing password hash from the application DB (e.g., User ID 1), (2) generating a valid hash for a ...

🤖 Agent Actions

Updated src/pentesting-web/command-injection.md with new WebSocket handshake bash arithmetic RCE technique, detailed post-exploitation tradecraft (ephemeral admin hash swaps, gated PHP webshell behaviors, Apache config STOMPing persistence, DNS/OAST validation), and an enhanced DNS exfiltration snippet with compliant label chunking. Added relevant reference to the Unit 42 BeyondTrust CVE-2026-1731 blog.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Command Injection (bash arithmetic evaluation / WebSocket-handshake parameter injection) and/or Network Services Pentesting -> 80,443 - Pentesting Web (WebSockets). Also consider adding the persistence technique under Linux Post-Exploitation or Webshells/Persistence notes (Apache config STOMPing).".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0