"The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Additional vulnerabilities may allow service disruption, unintended data access, and under distinct configurations, elevated access by an authenticated user that may impact system integrity," BeyondTrust said.
The technical defects: CVE-2026-40138 and CVE-2026-40139
BeyondTrust disclosed two critical authentication-related flaws in its Remote Support (RS) and Privileged Remote Access (PRA) products. The first, tracked as CVE-2026-40138, affects RS (versions 25.3.2 or earlier) and PRA (versions 25.3.2 or earlier) and "stems from an improper authentication weakness in the authentication subsystem," the company said. Successful exploitation could allow attackers without privileges to bypass access controls and access targeted appliances — including accounts with elevated privileges.
The second, CVE-2026-40139, "stems from improper processing of BeyondTrust RS authentication requests," and enables unauthenticated remote attackers to gain unauthorized access to vulnerable instances. BeyondTrust noted that exploitation in both cases also requires a specific authentication configuration to be enabled but said it did not share further details about that configuration.
Affected versions, additional high-severity issues, and configuration caveats
- Both critical issues impact RS and PRA versions 25.3.2 and earlier.
- BeyondTrust also released fixes for two additional high-severity flaws, CVE-2026-40140 and CVE-2026-40141, which can be exploited to trigger denial-of-service or to access restricted resources on unpatched RS and PRA instances.
- For the critical bypass scenarios, BeyondTrust emphasized that a "specific authentication configuration" must be present for exploitation to succeed; the company did not disclose what that configuration is.
- BeyondTrust said it had no public details that these newly disclosed flaws had been abused in the wild prior to the patching announcement.
Patching, timelines, and recommended actions
BeyondTrust reported that "A patch has been applied to all RS/PRA cloud customers as of April 21, 2026." For self-hosted instances, the vendor advised administrators to either apply the April security rollup patch for the affected version if the instance is not subscribed to automatic updates, or upgrade to RS 25.3.3 & above or PRA 25.3.3 & above.
Those running self-hosted appliances who have not applied the April rollup or upgraded to 25.3.3+ remain exposed to the conditions described for CVE-2026-40138 and CVE-2026-40139, as well as the high-severity CVE-2026-40140 and CVE-2026-40141. BeyondTrust’s dual approach — cloud patching on its side and rollups/updates for self-hosted customers — places responsibility on operators to confirm whether their instances are cloud-managed or self-hosted and to take the recommended remediation steps.
Historical context: prior exploitation and the Silk Typhoon incidents
BeyondTrust cautioned that although it did not report in-the-wild exploitation for these specific CVEs, the company’s remote support products have been exploited previously. The disclosure cites a recent critical pre-authentication remote code execution flaw (CVE-2026-1731) that was used to establish WebSocket channels and deploy ransomware on vulnerable systems.
Two years earlier, the U.S. Treasury Department disclosed a network intrusion linked to the "notorious Chinese state-backed Silk Typhoon cyberespionage group." According to the account in the source material, Silk Typhoon is believed to have exploited two zero-days (CVE-2024-12356 and CVE-2024-12686) to breach BeyondTrust's systems, use a stolen API key, and compromise 17 Remote Support SaaS instances — including the Treasury Department's instance. The same group also targeted the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC).
What this means for technologists, procurement leaders, and U.S. government agencies
- Technologists and security teams: Confirm whether your RS/PRA instances are cloud-managed or self-hosted; cloud tenants received the April 21, 2026 patch automatically, while self-hosted operators must apply the April rollup or upgrade to 25.3.3+.
- Procurement and IT leadership: Inventory Remote Support and Privileged Remote Access deployments and ensure contractual or operational paths exist for timely patching, particularly for self-hosted instances that depend on vendor rollups or manual upgrades.
- U.S. government agencies and similarly sensitive organizations: The past compromises tied to stolen API keys and zero-days underscore the operational risk from supplier-side breaches; agencies that use RS/PRA should validate cloud tenancy status, patch status, and any audit logs that could reveal anomalous access.
BeyondTrust’s disclosure ties a familiar vulnerability class — authentication bypass — to a product that has previously been a target in high-profile intrusions. With cloud instances already patched as of April 21, 2026, the immediate technical step is straightforward for cloud customers; the more durable challenge rests with self-hosted operators and with understanding which authentication configurations open the door in the first place. That unanswered detail will shape how urgently remaining users must act and how defenders model potential attacker behavior.
Source: BleepingComputer — BeyondTrust warns of critical flaws in remote access software




