Skip to main content
CybersecurityVulnerability Management

BeyondTrust Fixes Auth Bypass Flaws in Remote Support Software

Remote support software appliance on a workbench with a technician in the background.

"The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations," BeyondTrust said.

Products affected: Remote Support (RS) and Privileged Remote Access (PRA)

BeyondTrust has released security updates for two of its appliance products after finding multiple critical flaws. The company identified defects in Remote Support (RS) and Privileged Remote Access (PRA) that could, if exploited, allow an unauthenticated remote actor to take control of affected appliances. The vendor says the fixes are included in Remote Support RS 25.3.3 (and above) and Privileged Remote Access PRA 25.3.3 (and above); systems running RS or PRA 25.3.2 or lower should be updated.

The four tracked vulnerabilities and their impact

  • CVE-2026-40138 (CVSS 9.2) — A pre-authentication vulnerability in the authentication subsystem of RS and PRA caused by improper validation of authentication data; a network-positioned attacker could bypass access controls and gain unauthorized access, including to accounts with elevated privileges.
  • CVE-2026-40139 (CVSS 9.2) — A pre-authentication authentication-subsystem flaw in Remote Support stemming from improper processing of authentication requests; an unauthenticated remote attacker could bypass access controls and gain unauthorized access, including privileged accounts.
  • CVE-2026-40140 (CVSS 8.7) — A pre-authentication vulnerability in the network communication subsystem due to insufficient validation of client-supplied input; an unauthenticated remote attacker could trigger a denial-of-service condition affecting appliance availability.
  • CVE-2026-40141 (CVSS 8.5) — A web-application component flaw in RS and PRA from insufficient validation of user-supplied input; an authenticated attacker with limited privileges could access unintended resources or data beyond their authorization scope.

Exploitation scope: configuration and permission constraints

BeyondTrust notes two important limiting factors to exploitation. Successful exploitation of CVE-2026-40138 and CVE-2026-40139 depends on a specific authentication configuration being enabled. Exploitation of CVE-2026-40141 is further constrained to accounts that hold particular permissions. The company did not report any confirmed exploitation in the wild in this advisory.

How the flaws were found and fixed

BeyondTrust said the issues were identified internally as part of ongoing security assessments, with assistance using publicly available artificial intelligence (AI) models like Anthropic Claude Opus 4.8 and its own proprietary research tooling. The company remediated the faults in the 25.3.3 releases for both RS and PRA and advised customers to update promptly.

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: prioritize upgrades to RS 25.3.3 and PRA 25.3.3 where applicable, and verify authentication configurations that could enable the most severe bypass scenarios.
  • Affected enterprises and procurement leaders: treat appliances running RS or PRA 25.3.2 or lower as high-risk until patched; review access controls and account permission assignments that could limit the impact of CVE-2026-40141.
  • Adversaries and threat actors: previous exploitation of other BeyondTrust flaws has been observed, so the vendor’s note that these flaws were not reported as exploited should not be taken as permanent assurance—history shows such appliances can be attractive post-exploitation targets.

BeyondTrust also reminded customers of the operational risk inherent in exposed privileged-access appliances: similar flaws in RS and PRA (CVE-2024-12356 and CVE-2026-1731) have previously been exploited to deploy web shells and backdoors, a point the vendor used to underscore the importance of rapid patching. While the company’s advisory does not report active exploitation of the four newly disclosed CVEs, the combination of high CVSS scores, pre-authentication bypass potential, and prior exploitation history argues for a swift and deliberate response.

Enterprises running the affected appliances should apply the RS 25.3.3 and PRA 25.3.3 updates without delay, inspect authentication settings tied to the two pre-auth bypass issues, and review account permissions related to CVE-2026-40141. BeyondTrust’s use of both internal tooling and publicly available AI models in discovery is a detail that may shape how other vendors structure future assessments, but the immediate operational question remains simple: are your appliances updated and configured to limit these known paths to takeover?

Original advisory: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html