BeyondTrust Patches Critical Auth Bypass Flaws — Update Now

BeyondTrust dropped security updates for two critical vulnerabilities in its Remote Support and Privileged Remote Access products. These aren’t minor bugs. Successfully exploited, they let unauthenticated attackers take over vulnerable appliances.

Four vulnerabilities were disclosed in total:

  • CVE-2026-40138 (CVSS 9.2): Pre-auth bypass in the authentication subsystem of both RS and PRA. Improper validation of authentication data lets a network-positioned attacker bypass access controls and grab elevated privileges.
  • CVE-2026-40139 (CVSS 9.2): Similar pre-auth flaw specific to Remote Support. Improper processing of auth requests opens the door for remote takeover.
  • CVE-2026-40140 (CVSS 8.7): Pre-auth DoS in the network communication subsystem. Insufficient input validation lets attackers crash the appliance.
  • CVE-2026-40141 (CVSS 8.5): Authenticated privilege escalation via insufficient input validation in a web component.

Two of these (CVE-2026-40138 and CVE-2026-40139) depend on a specific authentication config being enabled. And the authenticated one (CVE-2026-40141) requires specific permissions. But still — these are dangerous.

BeyondTrust found these internally through ongoing security assessments, using AI models like Anthropic Claude Opus 4.8 and their own research tools.

The fixed versions are RS 25.3.3 and PRA 25.3.3 (or higher). If you’re running 25.3.2 or below, you’re exposed.

No word on active exploitation yet. But here’s the thing — BeyondTrust RS and PRA flaws have been hit before. CVE-2024-12356 and CVE-2026-1731 were used in the wild to deploy web shells and backdoors. Don’t wait. Patch now.

References