Back to Articles
critical

CRITICAL: BeyondTrust Auth Bypass Flaws Hand Attackers the Keys to Remote Support and PRA

BeyondTrust patched four flaws in Remote Support and Privileged Remote Access, including two unauthenticated CVSS 9.2 auth bypass bugs (CVE-2026-40138 and CVE-2026-40139) that let network-positioned attackers reach elevated accounts. All versions at or below 25.3.2 are vulnerable, with fixes in the 25.3.3 line. Cloud customers were patched April 21 2026, so self-hosted admins are the ones who need to move now.

By Danny Mercer, CISSP — Lead Security Analyst Jul 7, 2026
Is your business exposed? Our McKinney-based security team can assess your risk for free.
Share:

If there is one class of software an attacker would happily trade a week of their life to own outright, it is the remote access appliance sitting quietly at the edge of your network with a direct line into every endpoint you manage. BeyondTrust just confirmed that its Remote Support and Privileged Remote Access products, the exact tooling that managed service providers and enterprise help desks lean on every single day, shipped with a pair of pre-authentication flaws that let a network-positioned attacker stroll past the login screen entirely. This is the drop everything and patch it now category, because these are the kind of bugs that quietly turn a trusted support tool into an attacker foothold.

The two headliners are CVE-2026-40138 and CVE-2026-40139, both carrying a CVSS v4 score of 9.2. Neither requires valid credentials, which is the detail that should make anyone running a self-hosted appliance sit up straight. CVE-2026-40138 lives in the shared authentication subsystem and stems from improper validation of authentication data. A network-positioned attacker can abuse it to bypass access controls and gain unauthorized access to the appliance, and that access includes accounts with elevated privileges. In other words, the flaw does not just get someone in the door, it potentially hands them an administrator's chair. CVE-2026-40139 is a close cousin, rooted in how BeyondTrust Remote Support processes authentication requests. Improper handling of those requests lets an unauthenticated remote attacker gain access to vulnerable instances without ever presenting a legitimate secret.

There is one meaningful caveat worth stating plainly, because it changes the risk calculus for some deployments. Both critical flaws require a specific authentication configuration to be enabled before they can be exploited. That is not a reason to relax. It is a reason to go find out exactly how your appliance is configured before an attacker does it for you. Plenty of organizations enable the very features that make these bugs reachable precisely because those features make life easier for distributed support teams.

The advisory does not stop at two bugs. BeyondTrust also patched CVE-2026-40140, a pre-authentication flaw in the network communication subsystem scoring 8.7, where insufficient input validation opens the door to denial-of-service conditions that can knock the appliance offline. Rounding out the set is CVE-2026-40141 at 8.5, a web application component weakness that lets an authenticated user with limited privileges reach resources they were never supposed to touch. On their own these two would be a serious Tuesday. Sitting underneath a pair of unauthenticated 9.2s, they are the aftershocks to the earthquake.

Here is the part that matters for triage. Every version of Remote Support and Privileged Remote Access at or below 25.3.2 is considered vulnerable. The fix landed in RS 25.3.3 and PRA 25.3.3, so anything at or above that release is clear. BeyondTrust applied the patch to all Remote Support and Privileged Remote Access cloud customers back on April 21, 2026, which means if you consume these products purely as a hosted service, the vendor already handled it on your behalf. Self-hosted customers are the ones holding the pager. If your instance is not subscribed to automatic updates, you need to either apply the April security rollup patch for your affected version or upgrade outright to the 25.3.3 line or later. There is no clever workaround that beats patching here, and pretending otherwise is how appliances end up in incident reports.

As of publication, BeyondTrust reports no evidence of active exploitation in the wild, and there was no sign these flaws were abused before the fix went out. That is genuinely good news, and it is also the exact moment complacency likes to sneak in. The Shadowserver Foundation is tracking close to two thousand BeyondTrust instances exposed to the internet with unknown patch status, and that population is precisely the hunting ground attackers will comb once someone reverse engineers the patch to understand what changed. Critical pre-auth bugs with a clear description of the vulnerable subsystem rarely stay theoretical for long. The gap between a vendor advisory and a working proof of concept is often measured in days, not months.

If you want a sense of why this particular product line deserves your paranoia, look at its history. BeyondTrust itself pointed out that Remote Support and Privileged Remote Access have come under repeated exploitation before, calling out CVE-2024-12356 and CVE-2026-1731 as prior cases where attackers used flaws in these appliances to plant web shells and backdoors. CVE-2024-12356 is not an obscure footnote either. It was tied to the intrusion that reached into a United States Treasury Department workstation, a reminder that when this software fails, it does not fail quietly in a lab. Threat actors already know the value of an appliance that sits between administrators and the crown jewels, and they have a track record of coming back to this well.

One detail from the disclosure is worth a mention if only because it signals where vulnerability research is heading. BeyondTrust says it found these flaws internally during its own security assessments, using a combination of proprietary research tooling and AI models, including Anthropic's Claude Opus 4.8. Read that however you like, but the trend is clear enough. Defenders are increasingly turning large models loose on their own code to find the bugs before the adversaries do, and this is one of the cleaner examples of that approach paying off with a real catch on a high-value target.

So what should a practitioner actually do this week. Patch first, and patch on the self-hosted appliances specifically, because the cloud tenants are already covered. Confirm you are running RS or PRA 25.3.3 or later, or that the April rollup has been applied to your exact version. While you are in there, audit whether the authentication configuration that makes the critical flaws reachable is actually enabled, and question whether it needs to be. Get these appliances off the open internet if there is any way to front them with a VPN or restrict access to known management networks, because an unauthenticated bug on an internet-facing box is the worst possible combination. On the detection side, pull your appliance authentication logs and hunt for successful authentications that do not line up with a legitimate credential presentation, watch for unexpected administrator account creation or privilege changes, and keep an eye on outbound connections from the appliance itself, since a compromised support box making odd network calls is a classic web shell tell. If you cannot patch instantly for change control reasons, tightening network exposure buys you time, but it is a tourniquet, not a cure.

The uncomfortable throughline here is the same one the industry keeps relearning. The tools we deploy to secure and manage our environments, the privileged access platforms and the remote support consoles, are themselves prime targets precisely because of how much power they concentrate. An attacker who owns your remote support appliance does not need to phish a hundred users or chain three application bugs together. They inherit the reach that appliance already has, which is by design enormous. That is the whole point of the product and also the whole reason it is dangerous when it breaks.

For managed service providers, this advisory is more than a patch reminder, it is a conversation starter with every client running remote access infrastructure. Remote Support and Privileged Remote Access are the beating heart of a lot of MSP delivery, which means MSPs are both operators of this exact software and the trusted party clients expect to keep it current. There is a clear services story in offering managed appliance patching, external attack surface monitoring to catch internet-exposed instances before Shadowserver does, and continuous vulnerability management that treats privileged access tooling as the tier-zero asset it actually is. A single conversation framed around this CVE pair can justify a recurring monitoring and patch management retainer, and it positions you as the provider who caught the 9.2 before it became an incident rather than the one explaining the breach afterward.

References

Concerned about this threat?

Our security team can assess your exposure and recommend immediate actions.

Get a Free Assessment →