Security researchers say a critical flaw in BeyondTrust identity software (CVE-2026-1731) is being used in real attacks, letting criminals take over systems without passwords using tools like VShell and SparkRAT.