Critical Flaws Identified
BeyondTrust has released security updates to address multiple vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) solutions. The most severe flaws, tracked as CVE-2026-40138 and CVE-2026-40139, carry CVSS scores of 9.2 and involve pre-authentication bypass issues. An unauthenticated attacker positioned on the network could exploit these weaknesses to gain unauthorized access to affected appliances, including accounts with elevated privileges.
Two additional vulnerabilities were also patched. CVE-2026-40140 (CVSS 8.7) is a denial-of-service flaw in the network communication subsystem that could allow an unauthenticated remote attacker to crash the appliance. CVE-2026-40141” target=”_blank” rel=”noopener”>CVE-2026-40141 (CVSS 8.5) is an authenticated vulnerability that could let a user with limited privileges access resources beyond their authorized scope.
Remediation and Context
BeyondTrust noted that successful exploitation of the critical authentication bypass flaws depends on a specific authentication configuration being enabled. The company identified all vulnerabilities internally through ongoing security assessments, with some assistance from publicly available AI models and proprietary research tools.
The issues affect Remote Support version 25.3.2 and lower, as well as Privileged Remote Access version 25.3.2 and lower. Updates have been released in versions RS 25.3.3 and PRA 25.3.3. While BeyondTrust has not reported active exploitation of these particular flaws, previous vulnerabilities in these products (CVE-2024-12356 and CVE-2026-1731) have been exploited in the wild to deploy web shells and backdoors, making prompt patching essential.
Source: The Hacker News
