Overview
- CISA updated its KEV entry for CVE-2026-1731 to indicate confirmed use in ransomware campaigns, expanding earlier federal warnings.
- Exploitation followed a public proof‑of‑concept within about 24 hours, and BeyondTrust later acknowledged activity dating to January 31.
- Unit 42 observed attackers performing reconnaissance, lateral movement, and data exfiltration while installing web shells, remote tools, and backdoors.
- Observed payloads include SparkRAT and the VShell Linux backdoor, with targeting across financial, legal, high tech, higher education, retail, and healthcare sectors in the U.S., Canada, Australia, Germany, and France.
- Patches are available now—Remote Support 25.3.2+ and Privileged Remote Access 25.1.1+—with cloud SaaS auto‑updated on February 2 and on‑prem customers urged to update or isolate vulnerable appliances.