Cyber Security

BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA

IRavie LakshmananJuly 07, 2026Vulnerability / Business Security

BeyondTrust has released updates to address two critical security flaws affecting the Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthorized attackers to take control of vulnerable devices.

The risks are listed below –

  • CVE-2026-40138 (CVSS Score: 9.2) – A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Remote Access Essentials from improper validation of authentication data that could allow a network-based attacker to bypass access controls and gain unauthorized access to an authorized account, including an authenticated account.
  • CVE-2026-40139 (CVSS Score: 9.2) – A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support that stems from improper processing of authentication requests that could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the application, including accounts with elevated privileges.
  • CVE-2026-40140 (CVSS Score: 8.7) – A pre-authentication vulnerability in the network communication subsystem from insufficient authentication of input provided by the client could allow an unauthorized remote attacker to trigger a denial of service situation, affecting machine availability.
  • CVE-2026-40141 (CVSS Score: 8.5) – A vulnerability exists in the BeyondTrust Remote Support and Remote Access Critical web application from insufficient authentication of user-provided input that could allow an authorized attacker with limited permissions to access unintended resources or data beyond their scope of authorization.

It’s worth noting that successful exploits for CVE-2026-40138 and CVE-2026-40139 depend on certain authentication configurations being enabled. In the case of CVE-2026-40141, the exploit, if it occurred, was limited to accounts with certain permissions.

BeyondTrust said they were all identified internally as part of ongoing security testing, with the help of publicly available artificial intelligence (AI) models such as Anthropic Claude Opus 4.8 and its proprietary research tools.

“The most serious vulnerability could allow an unauthorized remote attacker to bypass access controls and gain unauthorized access to a machine running under certain configurations,” it said. “Additional vulnerabilities may allow service interruptions, unintended data access, and, under different configurations, elevated access by an authorized user that may affect system integrity.”

The issues have been resolved in the following versions –

  • Remote support RS 25.3.2 or below (Fixed for RS 25.3.3 and above)
  • Special Remote Access PRA 25.3.2 or below (Focused on PRA 25.3.3 and above)

BeyondTrust does not address vulnerabilities that are exploited in the wild. However, security flaws in RS and PRA products (CVE-2024-12356 and CVE-2026-1731) have been subject to repeated exploitation in the past to use web shells and backdoors, making it imperative that users move quickly to apply fixes.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button