Share
## https://sploitus.com/exploit?id=344DC761-48CE-54A4-ABF4-2DD7E625CE61
# CVE-2026-1731 โ€” BeyondTrust RS/PRA Passive Vulnerability Scanner

```
    โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
    โ•‘                                                                               โ•‘
    โ•‘     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—            โ•‘
    โ•‘    โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•    โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•            โ•‘
    โ•‘    โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—            โ•‘
    โ•‘    โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—          โ•‘
    โ•‘    โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•          โ•‘
    โ•‘     โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•โ•    โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•           โ•‘
    โ•‘                          __ _____ ____  __                                    โ•‘
    โ•‘                         /_ |__  /|___ \/_ |                                   โ•‘
    โ•‘                          | |  / /  __) || |                                   โ•‘
    โ•‘                          | | / /  |__  **This tool is provided for EDUCATIONAL and AUTHORIZED DEFENSIVE purposes only.**
>
> You may **ONLY** use this tool against systems you own or have **explicit written authorization** to test. Unauthorized scanning of systems you do not own may violate applicable laws including the Computer Fraud and Abuse Act (CFAA) and similar statutes in other jurisdictions.
>
> The authors assume **no liability** for misuse of this tool. By using this software, you agree to use it responsibly and in compliance with all applicable laws and regulations.

---

## Vulnerability Overview

| Field | Detail |
|---|---|
| **CVE** | CVE-2026-1731 |
| **CVSS** | 9.9 (Critical) |
| **Advisory** | [BT26-02](https://www.beyondtrust.com/trust-center/security-advisories/bt26-02) |
| **Type** | Pre-authentication Remote Code Execution |
| **Vector** | WebSocket endpoint `/nw` โ€” Bash arithmetic evaluation injection |
| **Affected** | RS โ‰ค 25.3.1, PRA โ‰ค 24.3.4 |
| **Fixed** | RS 25.3.2+, PRA 25.1.1+ |
| **Exploitation** | Active in the wild as of Feb 12, 2026 |

CVE-2026-1731 is a variant of [CVE-2024-12356](https://nvd.nist.gov/vuln/detail/CVE-2024-12356) (the vulnerability used by Chinese APT to breach the U.S. Treasury). Both target the same `/nw` WebSocket endpoint and the underlying `thin-scc-wrapper` Bash script. The BT24-10 patch for CVE-2024-12356 added a numeric sanity check, but failed to prevent Bash arithmetic evaluation of the `remoteVersion` parameter โ€” which CVE-2026-1731 exploits.

---

## How It Works

This scanner uses **8 passive fingerprinting methods** โ€” validated against live BeyondTrust instances โ€” to determine product version and vulnerability status without sending any exploit traffic.

### Detection Methods

| # | Method | Endpoint | What It Extracts | Confidence |
|---|---|---|---|---|
| 1 | **BRDF Version Extraction** | `GET /get_rdf?comp=sdcust&locale_code=en-us` | Exact product version from binary header (e.g., `24.1.4`) | **EXACT** |
| 2 | **/check_health Response** | `GET /check_health` | `"Health Check: Succeeded"` = pre-25.x / `"Status: Primary"` = 25.x+ | HIGH |
| 3 | **Static Asset Sizing** | `HEAD /js/login.js` | File size: ~36K-39K = pre-25.x / ~12K = 25.x+ | HIGH |
| 4 | **/get_mech_list API** | `GET /get_mech_list?version=3` | Company name + `thin_rep_enabled` field (25.x+ only) | HIGH |
| 5 | **HTML Structure** | `GET /login` | XHTML 1.1 + BOMGAR = pre-25.x / HTML5 = 25.x+ | MEDIUM |
| 6 | **Copyright Year** | `GET /login` footer | `2002-2024` = pre-25.x / `2002-2025` = 25.x | MEDIUM |
| 7 | **Portal Info** | `GET /get_portal_info` | X-Ns-Company value (attacker reconnaissance indicator) | โ€” |
| 8 | **WebSocket Probe** | `GET /nw` (HTTP only) | Confirms attack surface reachability | โ€” |

**Method 1 (BRDF)** is the same technique used by [Metasploit](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb) and [Nessus plugin 213456](https://www.tenable.com/plugins/nessus/213456). When BRDF returns an exact version, confidence is **EXACT**. Some 25.x instances strip the version from BRDF โ€” in those cases, methods 2-6 are scored and corroborated to infer the version range.

### What This Tool Does NOT Do

- โŒ Send WebSocket upgrade requests
- โŒ Transmit crafted payloads to `/nw`
- โŒ Attempt any form of exploitation
- โŒ Perform authentication or brute-forcing
- โŒ Modify any data on target systems
- โŒ Establish persistent or stateful connections

---

## Quick Start

### Requirements

- Python 3.8+
- No external dependencies (stdlib only)

### Installation

```bash
git clone https://github.com/YOUR_USERNAME/cve-2026-1731-scanner.git
cd cve-2026-1731-scanner
chmod +x cve_2026_1731_scanner.py
```

### Single Target Scan

```bash
python3 cve_2026_1731_scanner.py -t support.example.com -v
```

### Bulk Scan from File

```bash
# Create a target list (one host per line)
cat > targets.txt << 'EOF'
support.example.com
pra.example.com
192.168.1.50
10.0.0.100:8443
remote-support.beyondtrustcloud.com
EOF

# Run the scan
python3 cve_2026_1731_scanner.py -f targets.txt --threads 20 -o results.csv --json results.json -v
```

### Full Usage

```
usage: cve_2026_1731_scanner.py [-h] (-t TARGET | -f FILE) [-o OUTPUT]
                                 [--json JSON_OUTPUT] [--threads THREADS] [-v]

options:
  -t, --target TARGET     Single target hostname or IP
  -f, --file FILE         File containing targets (one per line)
  -o, --output OUTPUT     Export results to CSV file
  --json JSON_OUTPUT      Export results to JSON file
  --threads THREADS       Concurrent threads (default: 10)
  -v, --verbose           Verbose per-target output
```

### Input Format

The target file accepts flexible input โ€” one entry per line:

```
# Comments are supported (lines starting with #)
192.168.1.1
10.0.0.5
support.example.com
support.example.com:8443
https://support.example.com
http://support.example.com    # auto-upgraded to HTTPS
support.example.com/login     # paths are stripped automatically
```

---

## Understanding Output

### Risk Levels

| Level | Meaning |
|---|---|
| **CRITICAL** | Exact version confirmed vulnerable via BRDF, or multiple high-confidence signals indicate pre-25.x |
| **HIGH** | Likely vulnerable but with fewer corroborating signals; manual verification recommended |
| **MEDIUM** | Inferred as 25.x+ (RS could still be vulnerable through 25.3.1); verify BT26-02 patch |
| **LOW/INFO** | SaaS instance (auto-patched), confirmed patched version, or confirmed safe |

### Version Confidence

| Confidence | Source | Meaning |
|---|---|---|
| **EXACT** | BRDF `/get_rdf` | Exact version string extracted from binary (e.g., `24.1.4`) |
| **HIGH** | Multi-signal (3+) | 3 or more independent signals agree with 0 contradictions |
| **MEDIUM** | Multi-signal (2+) | Majority of signals agree but with some ambiguity |
| **LOW** | Inconclusive | Conflicting or insufficient signals |

### Exit Codes (CI/CD Integration)

| Code | Meaning |
|---|---|
| `0` | No critical or high findings |
| `1` | High-risk findings detected |
| `2` | Critical findings detected |

```bash
# Example: CI/CD pipeline integration
python3 cve_2026_1731_scanner.py -f targets.txt -o results.csv
if [ $? -eq 2 ]; then
    echo "CRITICAL: Vulnerable BeyondTrust instances found!"
    # trigger alert / page on-call / open ticket
fi
```

---

## Example Output

```
  [*] Scanning https://support.example.com...
      Status: VULNERABLE [CRITICAL]
      Version: 24.1.4 (via BRDF /get_rdf, confidence: EXACT)
      Company: examplecorp
      Product: Remote Support
      Signals: health=old, login.js=36458B, html=modern, ยฉ2024
      /nw: REACHABLE
```

---

## CSV & JSON Export

### CSV Fields

| Field | Description |
|---|---|
| `target` | Scanned URL |
| `is_beyondtrust` | Whether BeyondTrust was detected |
| `product_type` | Remote Support or Privileged Remote Access |
| `product_version` | Exact version (if extracted from BRDF) |
| `version_source` | How the version was determined |
| `version_confidence` | EXACT, HIGH, MEDIUM, or LOW |
| `company_name` | X-Ns-Company value (used in exploitation) |
| `copyright_year` | From login page footer |
| `health_check_type` | `old` (pre-25.x) or `new` (25.x+) |
| `login_js_size` | File size of /js/login.js |
| `thin_rep_enabled` | Present only in 25.x+ |
| `html_generation` | `legacy` (XHTML) or `modern` (HTML5) |
| `is_saas` | SaaS (.beyondtrustcloud.com) instance |
| `ws_endpoint_reachable` | Whether /nw responds |
| `vulnerability_status` | Assessment result |
| `risk_level` | CRITICAL, HIGH, MEDIUM, LOW, or INFO |
| `details` | Human-readable assessment details |

---

## Remediation

If the scanner identifies vulnerable instances:

1. **Apply BT26-02 patch immediately** โ€” available from BeyondTrust for all supported RS/PRA versions
2. **Upgrade to fixed versions**: RS 25.3.2+ or PRA 25.1.1+
3. **If running RS < 21.3 or PRA < 22.1**: full product upgrade is required before the patch can be applied
4. **Network controls**: restrict access to the `/nw` WebSocket endpoint if immediate patching is not possible
5. **Hunt for compromise**: check logs for WebSocket connections to `/nw` with unusual `remoteVersion` values containing `$()` or backticks
6. **SaaS instances**: were auto-patched on February 2, 2026 โ€” verify in your BeyondTrust portal

### References

- [BT26-02 Advisory](https://www.beyondtrust.com/trust-center/security-advisories/bt26-02)
- [NVD: CVE-2026-1731](https://nvd.nist.gov/vuln/detail/CVE-2026-1731)
- [Rapid7 Analysis](https://attackerkb.com/topics/jNMBccstay/cve-2026-1731/rapid7-analysis)
- [Metasploit Module (CVE-2024-12356)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb)

---

## Contributing

Pull requests welcome. If you discover additional passive fingerprinting methods or version correlation signals, please open an issue or PR.

---

## License

MIT License โ€” see [LICENSE](LICENSE) for details.

---

## Author

**NetGuard 24/7 LLC**
[https://netguard24-7.com](https://netguard24-7.com)