Share
## https://sploitus.com/exploit?id=344DC761-48CE-54A4-ABF4-2DD7E625CE61
# CVE-2026-1731 โ BeyondTrust RS/PRA Passive Vulnerability Scanner
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ โโโโโโโโโโ โโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโ โ
โ โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโ โโโ โโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โโโ โโโโ โโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโ โ
โ โโโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโโโโโ โโโโโ โโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโโ โ
โ __ _____ ____ __ โ
โ /_ |__ /|___ \/_ | โ
โ | | / / __) || | โ
โ | | / / |__ **This tool is provided for EDUCATIONAL and AUTHORIZED DEFENSIVE purposes only.**
>
> You may **ONLY** use this tool against systems you own or have **explicit written authorization** to test. Unauthorized scanning of systems you do not own may violate applicable laws including the Computer Fraud and Abuse Act (CFAA) and similar statutes in other jurisdictions.
>
> The authors assume **no liability** for misuse of this tool. By using this software, you agree to use it responsibly and in compliance with all applicable laws and regulations.
---
## Vulnerability Overview
| Field | Detail |
|---|---|
| **CVE** | CVE-2026-1731 |
| **CVSS** | 9.9 (Critical) |
| **Advisory** | [BT26-02](https://www.beyondtrust.com/trust-center/security-advisories/bt26-02) |
| **Type** | Pre-authentication Remote Code Execution |
| **Vector** | WebSocket endpoint `/nw` โ Bash arithmetic evaluation injection |
| **Affected** | RS โค 25.3.1, PRA โค 24.3.4 |
| **Fixed** | RS 25.3.2+, PRA 25.1.1+ |
| **Exploitation** | Active in the wild as of Feb 12, 2026 |
CVE-2026-1731 is a variant of [CVE-2024-12356](https://nvd.nist.gov/vuln/detail/CVE-2024-12356) (the vulnerability used by Chinese APT to breach the U.S. Treasury). Both target the same `/nw` WebSocket endpoint and the underlying `thin-scc-wrapper` Bash script. The BT24-10 patch for CVE-2024-12356 added a numeric sanity check, but failed to prevent Bash arithmetic evaluation of the `remoteVersion` parameter โ which CVE-2026-1731 exploits.
---
## How It Works
This scanner uses **8 passive fingerprinting methods** โ validated against live BeyondTrust instances โ to determine product version and vulnerability status without sending any exploit traffic.
### Detection Methods
| # | Method | Endpoint | What It Extracts | Confidence |
|---|---|---|---|---|
| 1 | **BRDF Version Extraction** | `GET /get_rdf?comp=sdcust&locale_code=en-us` | Exact product version from binary header (e.g., `24.1.4`) | **EXACT** |
| 2 | **/check_health Response** | `GET /check_health` | `"Health Check: Succeeded"` = pre-25.x / `"Status: Primary"` = 25.x+ | HIGH |
| 3 | **Static Asset Sizing** | `HEAD /js/login.js` | File size: ~36K-39K = pre-25.x / ~12K = 25.x+ | HIGH |
| 4 | **/get_mech_list API** | `GET /get_mech_list?version=3` | Company name + `thin_rep_enabled` field (25.x+ only) | HIGH |
| 5 | **HTML Structure** | `GET /login` | XHTML 1.1 + BOMGAR = pre-25.x / HTML5 = 25.x+ | MEDIUM |
| 6 | **Copyright Year** | `GET /login` footer | `2002-2024` = pre-25.x / `2002-2025` = 25.x | MEDIUM |
| 7 | **Portal Info** | `GET /get_portal_info` | X-Ns-Company value (attacker reconnaissance indicator) | โ |
| 8 | **WebSocket Probe** | `GET /nw` (HTTP only) | Confirms attack surface reachability | โ |
**Method 1 (BRDF)** is the same technique used by [Metasploit](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb) and [Nessus plugin 213456](https://www.tenable.com/plugins/nessus/213456). When BRDF returns an exact version, confidence is **EXACT**. Some 25.x instances strip the version from BRDF โ in those cases, methods 2-6 are scored and corroborated to infer the version range.
### What This Tool Does NOT Do
- โ Send WebSocket upgrade requests
- โ Transmit crafted payloads to `/nw`
- โ Attempt any form of exploitation
- โ Perform authentication or brute-forcing
- โ Modify any data on target systems
- โ Establish persistent or stateful connections
---
## Quick Start
### Requirements
- Python 3.8+
- No external dependencies (stdlib only)
### Installation
```bash
git clone https://github.com/YOUR_USERNAME/cve-2026-1731-scanner.git
cd cve-2026-1731-scanner
chmod +x cve_2026_1731_scanner.py
```
### Single Target Scan
```bash
python3 cve_2026_1731_scanner.py -t support.example.com -v
```
### Bulk Scan from File
```bash
# Create a target list (one host per line)
cat > targets.txt << 'EOF'
support.example.com
pra.example.com
192.168.1.50
10.0.0.100:8443
remote-support.beyondtrustcloud.com
EOF
# Run the scan
python3 cve_2026_1731_scanner.py -f targets.txt --threads 20 -o results.csv --json results.json -v
```
### Full Usage
```
usage: cve_2026_1731_scanner.py [-h] (-t TARGET | -f FILE) [-o OUTPUT]
[--json JSON_OUTPUT] [--threads THREADS] [-v]
options:
-t, --target TARGET Single target hostname or IP
-f, --file FILE File containing targets (one per line)
-o, --output OUTPUT Export results to CSV file
--json JSON_OUTPUT Export results to JSON file
--threads THREADS Concurrent threads (default: 10)
-v, --verbose Verbose per-target output
```
### Input Format
The target file accepts flexible input โ one entry per line:
```
# Comments are supported (lines starting with #)
192.168.1.1
10.0.0.5
support.example.com
support.example.com:8443
https://support.example.com
http://support.example.com # auto-upgraded to HTTPS
support.example.com/login # paths are stripped automatically
```
---
## Understanding Output
### Risk Levels
| Level | Meaning |
|---|---|
| **CRITICAL** | Exact version confirmed vulnerable via BRDF, or multiple high-confidence signals indicate pre-25.x |
| **HIGH** | Likely vulnerable but with fewer corroborating signals; manual verification recommended |
| **MEDIUM** | Inferred as 25.x+ (RS could still be vulnerable through 25.3.1); verify BT26-02 patch |
| **LOW/INFO** | SaaS instance (auto-patched), confirmed patched version, or confirmed safe |
### Version Confidence
| Confidence | Source | Meaning |
|---|---|---|
| **EXACT** | BRDF `/get_rdf` | Exact version string extracted from binary (e.g., `24.1.4`) |
| **HIGH** | Multi-signal (3+) | 3 or more independent signals agree with 0 contradictions |
| **MEDIUM** | Multi-signal (2+) | Majority of signals agree but with some ambiguity |
| **LOW** | Inconclusive | Conflicting or insufficient signals |
### Exit Codes (CI/CD Integration)
| Code | Meaning |
|---|---|
| `0` | No critical or high findings |
| `1` | High-risk findings detected |
| `2` | Critical findings detected |
```bash
# Example: CI/CD pipeline integration
python3 cve_2026_1731_scanner.py -f targets.txt -o results.csv
if [ $? -eq 2 ]; then
echo "CRITICAL: Vulnerable BeyondTrust instances found!"
# trigger alert / page on-call / open ticket
fi
```
---
## Example Output
```
[*] Scanning https://support.example.com...
Status: VULNERABLE [CRITICAL]
Version: 24.1.4 (via BRDF /get_rdf, confidence: EXACT)
Company: examplecorp
Product: Remote Support
Signals: health=old, login.js=36458B, html=modern, ยฉ2024
/nw: REACHABLE
```
---
## CSV & JSON Export
### CSV Fields
| Field | Description |
|---|---|
| `target` | Scanned URL |
| `is_beyondtrust` | Whether BeyondTrust was detected |
| `product_type` | Remote Support or Privileged Remote Access |
| `product_version` | Exact version (if extracted from BRDF) |
| `version_source` | How the version was determined |
| `version_confidence` | EXACT, HIGH, MEDIUM, or LOW |
| `company_name` | X-Ns-Company value (used in exploitation) |
| `copyright_year` | From login page footer |
| `health_check_type` | `old` (pre-25.x) or `new` (25.x+) |
| `login_js_size` | File size of /js/login.js |
| `thin_rep_enabled` | Present only in 25.x+ |
| `html_generation` | `legacy` (XHTML) or `modern` (HTML5) |
| `is_saas` | SaaS (.beyondtrustcloud.com) instance |
| `ws_endpoint_reachable` | Whether /nw responds |
| `vulnerability_status` | Assessment result |
| `risk_level` | CRITICAL, HIGH, MEDIUM, LOW, or INFO |
| `details` | Human-readable assessment details |
---
## Remediation
If the scanner identifies vulnerable instances:
1. **Apply BT26-02 patch immediately** โ available from BeyondTrust for all supported RS/PRA versions
2. **Upgrade to fixed versions**: RS 25.3.2+ or PRA 25.1.1+
3. **If running RS < 21.3 or PRA < 22.1**: full product upgrade is required before the patch can be applied
4. **Network controls**: restrict access to the `/nw` WebSocket endpoint if immediate patching is not possible
5. **Hunt for compromise**: check logs for WebSocket connections to `/nw` with unusual `remoteVersion` values containing `$()` or backticks
6. **SaaS instances**: were auto-patched on February 2, 2026 โ verify in your BeyondTrust portal
### References
- [BT26-02 Advisory](https://www.beyondtrust.com/trust-center/security-advisories/bt26-02)
- [NVD: CVE-2026-1731](https://nvd.nist.gov/vuln/detail/CVE-2026-1731)
- [Rapid7 Analysis](https://attackerkb.com/topics/jNMBccstay/cve-2026-1731/rapid7-analysis)
- [Metasploit Module (CVE-2024-12356)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb)
---
## Contributing
Pull requests welcome. If you discover additional passive fingerprinting methods or version correlation signals, please open an issue or PR.
---
## License
MIT License โ see [LICENSE](LICENSE) for details.
---
## Author
**NetGuard 24/7 LLC**
[https://netguard24-7.com](https://netguard24-7.com)