╔═══════════════════════════════════════════════════════════════╗
║ ║
║ CVE-2026-1731 ║
║ BeyondTrust RS/PRA Passive Vulnerability Scanner ║
║ ║
╠═══════════════════════════════════════════════════════════════╣
║ PASSIVE SCANNER — EDUCATIONAL & AUTHORIZED USE ONLY ║
║ ║
║ Performs passive fingerprinting via standard HTTP GET. ║
║ No exploit payloads sent. No WebSocket connections. ║
║ Only use against systems you own or are authorized to test. ║
║ ║
║ Methods: BRDF version extraction, /check_health, ║
║ static asset sizing, /get_mech_list API, ║
║ HTML analysis, copyright year, /nw probe ║
║ ║
║ Author: NetGuard 24/7 LLC ║
║ Web: https://netguard24-7.com ║
╚═══════════════════════════════════════════════════════════════╝
A passive vulnerability scanner for CVE-2026-1731 — a critical (CVSS 9.9) pre-authentication Remote Code Execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).
This tool identifies vulnerable BeyondTrust instances using only standard HTTP GET requests. No exploit payloads are sent. No WebSocket connections are established. No authentication is attempted.
Update: 2/16/2026
Applying the hotfix, BT26-02-RS or BT26-02-PRA will make detected BeyondTrust instances below RS (v21.3 - 25.3.1) or PRA (v22.1 - 24.X) appear as vulnerable since the hotfix will not result in version increments, therefore instances patched with the hotfix (BT26-02-RS or BT26-02-PRA) will appear as vulnerable. Once the base release is upgraded, then the instance will appear as not vulnerable". Per the vendor the official fix is addressed in Remote Support 25.3.2 and greater | Privileged Remote Access 25.1 and greater
Author: NetGuard 24/7 LLC
This tool is provided for EDUCATIONAL and AUTHORIZED DEFENSIVE purposes only.
You may ONLY use this tool against systems you own or have explicit written authorization to test. Unauthorized scanning of systems you do not own may violate applicable laws including the Computer Fraud and Abuse Act (CFAA) and similar statutes in other jurisdictions.
The authors assume no liability for misuse of this tool. By using this software, you agree to use it responsibly and in compliance with all applicable laws and regulations.
| Field | Detail |
|---|---|
| CVE | CVE-2026-1731 |
| CVSS | 9.9 (Critical) |
| Advisory | BT26-02 |
| Type | Pre-authentication Remote Code Execution |
| Vector | WebSocket endpoint /nw — Bash arithmetic evaluation injection |
| Affected | RS ≤ 25.3.1, PRA ≤ 24.3.4 |
| Fixed | RS 25.3.2+, PRA 25.1.1+ |
| Exploitation | Active in the wild as of Feb 12, 2026 |
CVE-2026-1731 is a variant of CVE-2024-12356 (the vulnerability used by Chinese APT to breach the U.S. Treasury). Both target the same /nw WebSocket endpoint and the underlying thin-scc-wrapper Bash script. The BT24-10 patch for CVE-2024-12356 added a numeric sanity check, but failed to prevent Bash arithmetic evaluation of the remoteVersion parameter — which CVE-2026-1731 exploits.
This scanner uses 8 passive fingerprinting methods — validated against live BeyondTrust instances — to determine product version and vulnerability status without sending any exploit traffic.
| # | Method | Endpoint | What It Extracts | Confidence |
|---|---|---|---|---|
| 1 | BRDF Version Extraction | GET /get_rdf?comp=sdcust&locale_code=en-us |
Exact product version from binary header (e.g., 24.1.4) |
EXACT |
| 2 | /check_health Response | GET /check_health |
"Health Check: Succeeded" = pre-25.x / "Status: Primary" = 25.x+ |
HIGH |
| 3 | Static Asset Sizing | HEAD /js/login.js |
File size: ~36K-39K = pre-25.x / ~12K = 25.x+ | HIGH |
| 4 | /get_mech_list API | GET /get_mech_list?version=3 |
Company name + thin_rep_enabled field (25.x+ only) |
HIGH |
| 5 | HTML Structure | GET /login |
XHTML 1.1 + BOMGAR = pre-25.x / HTML5 = 25.x+ | MEDIUM |
| 6 | Copyright Year | GET /login footer |
2002-2024 = pre-25.x / 2002-2025 = 25.x |
MEDIUM |
| 7 | Portal Info | GET /get_portal_info |
X-Ns-Company value (attacker reconnaissance indicator) | — |
| 8 | WebSocket Probe | GET /nw (HTTP only) |
Confirms attack surface reachability | — |
Method 1 (BRDF) is the same technique used by Metasploit and Nessus plugin 213456. When BRDF returns an exact version, confidence is EXACT. Some 25.x instances strip the version from BRDF — in those cases, methods 2-6 are scored and corroborated to infer the version range.
- ❌ Send WebSocket upgrade requests
- ❌ Transmit crafted payloads to
/nw - ❌ Attempt any form of exploitation
- ❌ Perform authentication or brute-forcing
- ❌ Modify any data on target systems
- ❌ Establish persistent or stateful connections
- Python 3.8+
- No external dependencies (stdlib only)
git clone https://github.com/YOUR_USERNAME/cve-2026-1731-scanner.git
cd cve-2026-1731-scanner
chmod +x cve_2026_1731_scanner.pypython3 cve_2026_1731_scanner.py -t support.example.com -v# Create a target list (one host per line)
cat > targets.txt << 'EOF'
support.example.com
pra.example.com
192.168.1.50
10.0.0.100:8443
remote-support.beyondtrustcloud.com
EOF
# Run the scan
python3 cve_2026_1731_scanner.py -f targets.txt --threads 20 -o results.csv --json results.json -vusage: cve_2026_1731_scanner.py [-h] (-t TARGET | -f FILE) [-o OUTPUT]
[--json JSON_OUTPUT] [--threads THREADS] [-v]
options:
-t, --target TARGET Single target hostname or IP
-f, --file FILE File containing targets (one per line)
-o, --output OUTPUT Export results to CSV file
--json JSON_OUTPUT Export results to JSON file
--threads THREADS Concurrent threads (default: 10)
-v, --verbose Verbose per-target output
The target file accepts flexible input — one entry per line:
# Comments are supported (lines starting with #)
192.168.1.1
10.0.0.5
support.example.com
support.example.com:8443
https://support.example.com
http://support.example.com # auto-upgraded to HTTPS
support.example.com/login # paths are stripped automatically
| Level | Meaning |
|---|---|
| CRITICAL | Exact version confirmed vulnerable via BRDF, or multiple high-confidence signals indicate pre-25.x |
| HIGH | Likely vulnerable but with fewer corroborating signals; manual verification recommended |
| MEDIUM | Inferred as 25.x+ (RS could still be vulnerable through 25.3.1); verify BT26-02 patch |
| LOW/INFO | SaaS instance (auto-patched), confirmed patched version, or confirmed safe |
| Confidence | Source | Meaning |
|---|---|---|
| EXACT | BRDF /get_rdf |
Exact version string extracted from binary (e.g., 24.1.4) |
| HIGH | Multi-signal (3+) | 3 or more independent signals agree with 0 contradictions |
| MEDIUM | Multi-signal (2+) | Majority of signals agree but with some ambiguity |
| LOW | Inconclusive | Conflicting or insufficient signals |
| Code | Meaning |
|---|---|
0 |
No critical or high findings |
1 |
High-risk findings detected |
2 |
Critical findings detected |
# Example: CI/CD pipeline integration
python3 cve_2026_1731_scanner.py -f targets.txt -o results.csv
if [ $? -eq 2 ]; then
echo "CRITICAL: Vulnerable BeyondTrust instances found!"
# trigger alert / page on-call / open ticket
fi [*] Scanning https://support.example.com...
Status: VULNERABLE [CRITICAL]
Version: 24.1.4 (via BRDF /get_rdf, confidence: EXACT)
Company: examplecorp
Product: Remote Support
Signals: health=old, login.js=36458B, html=modern, ©2024
/nw: REACHABLE
| Field | Description |
|---|---|
target |
Scanned URL |
is_beyondtrust |
Whether BeyondTrust was detected |
product_type |
Remote Support or Privileged Remote Access |
product_version |
Exact version (if extracted from BRDF) |
version_source |
How the version was determined |
version_confidence |
EXACT, HIGH, MEDIUM, or LOW |
company_name |
X-Ns-Company value (used in exploitation) |
copyright_year |
From login page footer |
health_check_type |
old (pre-25.x) or new (25.x+) |
login_js_size |
File size of /js/login.js |
thin_rep_enabled |
Present only in 25.x+ |
html_generation |
legacy (XHTML) or modern (HTML5) |
is_saas |
SaaS (.beyondtrustcloud.com) instance |
ws_endpoint_reachable |
Whether /nw responds |
vulnerability_status |
Assessment result |
risk_level |
CRITICAL, HIGH, MEDIUM, LOW, or INFO |
details |
Human-readable assessment details |
If the scanner identifies vulnerable instances:
- Apply BT26-02 patch immediately — available from BeyondTrust for all supported RS/PRA versions
- Upgrade to fixed versions: RS 25.3.2+ or PRA 25.1.1+
- If running RS < 21.3 or PRA < 22.1: full product upgrade is required before the patch can be applied
- Network controls: restrict access to the
/nwWebSocket endpoint if immediate patching is not possible - Hunt for compromise: check logs for WebSocket connections to
/nwwith unusualremoteVersionvalues containing$()or backticks - SaaS instances: were auto-patched on February 2, 2026 — verify in your BeyondTrust portal
Pull requests welcome. If you discover additional passive fingerprinting methods or version correlation signals, please open an issue or PR.
MIT License — see LICENSE for details.
NetGuard 24/7 LLC https://netguard24-7.com
