BeyondTrust is urging self-hosted customers to patch multiple vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) platforms.
Two of the vulnerabilities are critical authentication bypass flaws that could allow unauthorized users to gain access to vulnerable systems under specific configurations.
Key Takeaways of the BeyondTrust Vulnerabilities
- BeyondTrust patched four vulnerabilities affecting RS and PRA, including two critical authentication bypass flaws.
- CVE-2026-40138 and CVE-2026-40139 could allow unauthenticated attackers to bypass access controls under specific authentication configurations.
- Self-hosted customers should upgrade immediately, while patches have already been applied to BeyondTrust cloud-hosted environments.
- Organizations should strengthen remote access security with Zero Trust, phishing-resistant MFA, least-privilege access, and continuous monitoring.
Inside the BeyondTrust vulnerabilities
The vulnerabilities affect BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) versions 25.3.2 and earlier, enterprise platforms used for secure remote administration and privileged access management.
BeyondTrust disclosed two critical authentication vulnerabilities that could allow unauthenticated attackers to bypass access controls under specific authentication configurations.
While the company has not publicly disclosed the exact configuration required for exploitation, organizations should assume potentially affected deployments are at risk until they have been updated.
CVE-2026-40138
CVE-2026-40138 is the most severe of the disclosed vulnerabilities.
According to BeyondTrust, the flaw stems from an improper authentication weakness within the authentication subsystem.
If successfully exploited, an attacker without valid credentials could bypass authentication controls and gain unauthorized access to vulnerable RS or PRA appliances.
A primary concern of this vulnerability is that successful exploitation could expose privileged accounts and administrative functions, giving attackers access to sensitive systems.
Because these platforms often serve as gateways to enterprise infrastructure, a compromise could also enable lateral movement across the environment.
CVE-2026-40139
The second critical vulnerability, CVE-2026-40139, results from the improper processing of authentication requests within BeyondTrust Remote Support.
Under specific authentication configurations, the flaw could allow an unauthenticated remote attacker to gain unauthorized access to vulnerable instances.
Although the root cause differs from CVE-2026-40138, the impact is similar: attackers could bypass authentication controls and gain unauthorized access without valid credentials.
Because remote administration platforms manage high-value enterprise systems, organizations should prioritize remediation.
CVE-2026-40140
BeyondTrust also patched CVE-2026-40140, a vulnerability that could be exploited to trigger denial-of-service (DoS) conditions on vulnerable RS and PRA appliances.
While this vulnerability does not provide unauthorized access, successful exploitation could disrupt the availability of remote administration services.
For organizations that rely on BeyondTrust for daily IT operations and incident response, a service outage could disrupt critical administrative functions and delay recovery during a security incident.
CVE-2026-40141
CVE-2026-40141 may allow an authenticated user, under specific configurations, to access restricted resources beyond their intended permissions.
Unauthorized access to protected resources could compromise system integrity and increase the risk of privilege misuse or unauthorized administrative actions.
Although exploitation requires valid credentials, this vulnerability highlights the importance of enforcing least privilege and continuously monitoring privileged account activity.
Overall, BeyondTrust noted that the most severe vulnerabilities require specific authentication configurations to be present, which may reduce exposure for some deployments.
However, because remote access and privileged access management platforms are frequent targets for threat actors, organizations should prioritize applying the latest security updates and reviewing their authentication configurations regardless of their current deployment model.
Mitigating the BeyondTrust flaws
BeyondTrust has already applied patches to all cloud-hosted RS and PRA customers.
Organizations operating self-hosted deployments should:
- Patch to the latest version and adopt a zero trust approach by restricting administrative access to trusted networks, continuously verifying users and devices, and minimizing unnecessary internet exposure of RS and PRA appliances.
- Enforce phishing-resistant MFA and apply least-privilege access controls for all privileged accounts.
- Monitor authentication logs and privileged account activity for suspicious behavior.
- Review and remove unnecessary privileged accounts while segmenting remote access infrastructure from the broader enterprise network where possible.
- Test incident response plans and use attack simulation tools with scenarios around identity compromise and privilege escalation.
Collectively, these steps can help reduce exposure and build overall resilience.
Bottom Line
Although BeyondTrust has not reported active exploitation of these vulnerabilities, its remote access products have been targeted in previous campaigns, underscoring the importance of timely remediation.
Earlier this year, attackers exploited CVE-2026-1731 to compromise BeyondTrust appliances, while the Silk Typhoon campaign in 2024 leveraged BeyondTrust zero-day vulnerabilities to access multiple Remote Support SaaS instances, including one used by the U.S. Treasury.
As organizations strengthen remote access security, adopting zero trust solutions can help reduce risk by continuously verifying users, devices, and access requests before granting privileged access.





