Skip Navigation

July 8, 2026 |

BeyondTrust patches critical authentication bypass vulnerabilities

Loading table of contents...

At a glance: BeyondTrust disclosed four vulnerabilities affecting Remote Support (RS) and Privileged Remote Access (PRA), including two critical flaws that can allow unauthorized access to affected appliances under specific conditions. Because RS and PRA provide centralized administrative access to systems across the enterprise, compromise of these platforms can provide a path to sensitive systems and privileged accounts.

Threat summary

On July 7, 2026, BeyondTrust disclosed four vulnerabilities affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).

These products are used to provide remote administration, privileged session management, and controlled access to internal systems, including servers, workstations, and network devices. The vulnerabilities affect RS 25.3.2 and earlier and PRA 25.3.2 and earlier.

The critical flaws are tracked as CVE-2026-40138 and CVE-2026-40139, both assigned a CVSS score of 9.2.

  • CVE-2026-40138 affects RS and PRA and results from improper validation of authentication data.
  • CVE-2026-40139 affects RS and results from improper processing of authentication requests.

BeyondTrust reported that successful exploitation can allow unauthorized access to affected appliances, including accounts with elevated privileges, when a specific authentication configuration is enabled. BeyondTrust has not disclosed the affected configuration or identified the authentication methods affected.

BeyondTrust also released updates for two high-severity vulnerabilities:

  • The first one, tracked as CVE-2026-40140, affects network communication subsystem and can allow an unauthenticated threat actor to trigger a denial-of-service condition. CVSS: 8.7
  • The second flaw, CVE-2026-40141, affects a web application component and can allow an authenticated user with limited privileges to access resources or data outside their intended authorization scope. CVSS: 8.5

BeyondTrust states that the vulnerabilities were identified through internal security research and security assessments.

BeyondTrust applied patches to cloud-hosted RS and PRA deployments on April 21, 2026. Organizations operating self-hosted deployments are responsible for applying the April 2026 security rollup or upgrading to RS 25.3.3 or later and PRA 25.3.3 or later.

Recommendations

BeyondTrust Remote Support and Privileged Remote Access are designed to provide administrators with remote access to systems across the enterprise. These platforms often sit between administrators and critical assets, including servers, endpoints, network infrastructure, and privileged accounts.

As a result, they are attractive targets for threat actors because access to the management platform can provide a path to multiple systems through a trusted administrative channel.

In December 2024, BeyondTrust disclosed a security incident involving its Remote Support software. Public reporting linked related activity affecting the U.S. Department of the Treasury to a Chinese state-sponsored threat actor. The incident highlighted the value of remote access and privileged access platforms to threat actors.

The newly disclosed vulnerabilities can allow unauthorized access to affected RS and PRA appliances under specific conditions. Although BeyondTrust has not reported active exploitation of CVE-2026-40138 or CVE-2026-40139, organizations using vulnerable versions face the risk of unauthorized access to systems managed through these platforms.

Determine whether BeyondTrust Remote Support or Privileged Remote Access is deployed and identify the version in use, and if they are cloud-hosted or self-hosted. RS 25.3.2 and earlier and PRA 25.3.2 and earlier are affected.

Organizations operating self-hosted deployments need to apply the April 2026 security rollup or upgrading to a fixed release. Prioritize internet-facing appliances, review authentication configurations, and inspect logs for unusual authentication activity, newly created privileged accounts, and unexpected administrative sessions.

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up