Critical BeyondTrust Flaws Let Attackers Bypass Access Controls in Remote Support and PRA


BeyondTrust has patched four vulnerabilities in its Remote Support and Privileged Remote Access products, including two critical authentication bypass flaws that could let attackers gain unauthorized access to affected appliances.

The issues are covered under the BeyondTrust BT26-03 advisory. The most severe bugs carry a CVSS v4 score of 9.2 and affect environments where specific authentication configurations are enabled.

BeyondTrust says its Product Security team found the vulnerabilities internally during ongoing assessments, with help from AI-driven research using public AI models and proprietary tooling. The company says it has no evidence that the vulnerabilities were exploited or known outside BeyondTrust before remediation.

What BeyondTrust patched

The advisory covers two critical vulnerabilities and two high-severity vulnerabilities across Remote Support and Privileged Remote Access. The critical bugs sit in authentication handling, while the high-severity bugs involve denial of service and unintended resource access.

The first critical flaw, CVE-2026-40138, affects the authentication subsystem of both Remote Support and Privileged Remote Access. Improper validation of authentication data may allow a network-positioned attacker to bypass access controls and reach appliance accounts, including accounts with elevated privileges.

The second critical flaw, CVE-2026-40139, affects the authentication subsystem of Remote Support. Improper processing of authentication requests may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access under specific configurations.

CVESeverityCVSS v4 scoreAffected productMain impact
CVE-2026-40138Critical9.2Remote Support and Privileged Remote AccessAuthentication bypass and unauthorized appliance access
CVE-2026-40139Critical9.2Remote SupportAuthentication bypass and unauthorized appliance access
CVE-2026-40140High8.7Remote Support and Privileged Remote AccessPre-authentication denial of service
CVE-2026-40141High8.5Remote Support and Privileged Remote AccessLimited-privilege access to unintended resources or data

The two critical flaws need specific configurations

The authentication bypass risk is serious, but it is not unconditional across every deployment. BeyondTrust says exploitation of the two critical bugs requires specific authentication configurations to be enabled.

That detail matters for risk scoring, but it should not slow patching. Remote access and privileged access appliances often sit close to sensitive systems, so unauthorized access can create a direct path into administrative workflows.

The NVD entry for CVE-2026-40138 describes a network-positioned attacker bypassing access controls and reaching elevated appliance accounts. The NVD entry for CVE-2026-40139 describes a similar access-control bypass in Remote Support through improper processing of authentication requests.

High-severity bugs affect availability and data access

CVE-2026-40140 is a pre-authentication vulnerability in the network communication subsystem. BeyondTrust says insufficient validation of client-supplied input could let an unauthenticated remote attacker trigger a denial-of-service condition that affects appliance availability.

CVE-2026-40141 affects a web application component in Remote Support and Privileged Remote Access. The issue stems from insufficient validation of user-supplied input and could allow an authenticated attacker with limited privileges to access unintended resources or data.

NHS England Digital also issued an alert on the BeyondTrust advisory, describing the release as addressing two critical-impact and two high-impact vulnerabilities in Remote Support and Privileged Remote Access.

  • CVE-2026-40140 can affect appliance availability through a denial-of-service condition.
  • CVE-2026-40141 requires authentication and specific permissions.
  • The two critical bugs require specific authentication configurations.
  • Cloud customers were patched before public disclosure.
  • Self-hosted customers need to confirm that updates have been applied.

Affected and fixed versions

BeyondTrust lists Remote Support 25.3.2 or lower and Privileged Remote Access 25.3.2 or lower as affected. Customers should apply the April 2026 security rollup patches or upgrade to version 25.3.3 or later.

Cloud-hosted customers were patched automatically as of April 21, 2026. Self-hosted customers that do not receive automatic updates need to apply the relevant rollup patch or upgrade manually.

The official BT26-03 notice lists the fixed paths as April 2026 security rollup patches for the affected product version or RS 25.3.3 and above, and PRA 25.3.3 and above.

ProductAffected versionsFixed path
BeyondTrust Remote SupportRS 25.3.2 or lowerApril 2026 RS security rollup or RS 25.3.3 and above
BeyondTrust Privileged Remote AccessPRA 25.3.2 or lowerApril 2026 PRA security rollup or PRA 25.3.3 and above
Cloud-hosted RS and PRAPreviously affected before remediationPatched automatically as of April 21, 2026

Why attackers value remote access appliances

Remote Support and Privileged Remote Access tools exist to help administrators reach sensitive systems. That is exactly why attackers pay attention to them.

If an attacker gets unauthorized access to a remote support appliance, the appliance can become a trusted entry point rather than a normal compromised workstation. It may also expose privileged accounts, remote sessions, administrative workflows, and access routes into internal systems.

The risk is not theoretical. Earlier this year, BeyondTrust disclosed CVE-2026-1731, a separate critical pre-authentication remote code execution issue in Remote Support and certain older Privileged Remote Access versions. NVD notes that CVE-2026-1731 was added to CISAโ€™s Known Exploited Vulnerabilities catalog.

No known exploitation for BT26-03

BeyondTrust says the BT26-03 vulnerabilities were found proactively and fixed before any exploitation. The company also says it has no evidence that they were known outside BeyondTrust before remediation.

Still, internet-exposed remote access products tend to attract fast attacker interest after disclosure. Organizations should treat patching as urgent, especially when appliances are reachable from external networks or tied to privileged workflows.

Coverage from The Hacker News also noted that the latest flaws follow earlier BeyondTrust vulnerabilities that have faced exploitation in the past, which raises the operational urgency for self-hosted environments.

What administrators should do now

Administrators should first identify whether they run Remote Support or Privileged Remote Access on-premises, then confirm whether automatic updates or the April 2026 rollup patch already applied.

For exposed deployments, teams should prioritize patching, review authentication configuration, and check logs for unusual access attempts. Even though BeyondTrust reports no known exploitation of these issues, high-value appliances deserve extra scrutiny after a critical advisory.

NHS England Digitalโ€™s alert recommends reviewing the BeyondTrust advisory and applying the relevant updates. For teams that handled the earlier BeyondTrust CVE-2026-1731 response, the same principle applies here: confirm patch status rather than assuming automatic remediation covered every self-hosted instance.

  1. Inventory all Remote Support and Privileged Remote Access appliances.
  2. Identify whether each instance is cloud-hosted or self-hosted.
  3. Verify the installed version and update status.
  4. Apply the April 2026 security rollup or upgrade to 25.3.3 or later.
  5. Review authentication settings tied to external access.
  6. Restrict appliance access to trusted networks and administrators.
  7. Check logs for unexpected authentication attempts, session creation, and privilege use.

Why self-hosted environments need priority

Cloud customers have already received the fix, according to BeyondTrust. That leaves self-hosted deployments as the main exposure point if administrators have not applied the patches.

Self-hosted appliances can also differ from one environment to another. Some may sit behind VPNs, while others may face the internet. Some may have automatic updates enabled, while others depend on manual maintenance windows.

The practical takeaway is simple: every organization using BeyondTrust Remote Support or Privileged Remote Access should verify patch status now. The products provide powerful administrative reach, so even configuration-dependent authentication bypass flaws deserve immediate attention.

FAQ

What is BeyondTrust BT26-03?

BT26-03 is a BeyondTrust security advisory covering four vulnerabilities in Remote Support and Privileged Remote Access. It includes two critical authentication bypass flaws and two high-severity issues affecting availability and data access.

Which BeyondTrust products are affected?

BeyondTrust Remote Support 25.3.2 or lower and Privileged Remote Access 25.3.2 or lower are affected. Cloud-hosted customers were patched automatically as of April 21, 2026.

What are CVE-2026-40138 and CVE-2026-40139?

CVE-2026-40138 and CVE-2026-40139 are critical pre-authentication vulnerabilities that can allow attackers to bypass access controls and gain unauthorized appliance access under specific authentication configurations.

Has BeyondTrust seen exploitation of these vulnerabilities?

BeyondTrust says it has no evidence that the BT26-03 vulnerabilities were exploited or known outside the company before remediation. Security teams should still patch quickly because remote access appliances are high-value targets.

How can administrators fix the BeyondTrust vulnerabilities?

Administrators should apply the April 2026 security rollup patch for the affected product version or upgrade Remote Support and Privileged Remote Access to version 25.3.3 or later.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages