- BeyondTrust disclosed four pre-authentication vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products.
- Two critical flaws (CVE-2026-40138 and CVE-2026-40139), each carrying a CVSS score of 9.2, could let unauthenticated attackers bypass access controls and gain elevated privileges.
- Additional vulnerabilities include a denial-of-service flaw (CVE-2026-40140, CVSS 8.7) and an authenticated privilege escalation bug (CVE-2026-40141, CVSS 8.5).
- BeyondTrust has released patched versions (RS 25.3.3 and PRA 25.3.3) and urges immediate updates, citing past exploitation of similar flaws.
On July 7, 2026, BeyondTrust released urgent security updates to patch four critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products, warning that the most severe flaws could allow unauthenticated attackers to seize control of susceptible appliances. The two most critical issues, CVE-2026-40138 and CVE-2026-40139, both carry a CVSS score of 9.2 and stem from improper validation of authentication data, enabling a network-positioned attacker to bypass access controls and gain elevated privileges.
However, successful exploitation of these two critical flaws depends on a specific authentication configuration being enabled on the appliance. Meanwhile, the CVE-2026-40140 vulnerability (CVSS 8.7) is a pre-authentication denial-of-service issue caused by insufficient validation of client-supplied input, which could disrupt appliance availability. Additionally, CVE-2026-40141 (CVSS 8.5) is a privilege escalation flaw that, upon exploitation, is restricted to accounts with specific permissions.
BeyondTrust identified all four vulnerabilities internally during ongoing security assessments, with assistance from publicly available artificial intelligence models like Anthropic Claude Opus 4.8 and its own proprietary research tooling. The company stated, “The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations.”
Consequently, BeyondTrust has addressed the issues in versions RS 25.3.3 and PRA 25.3.3 and above. Though no exploitation in the wild has been reported, the company emphasized that similar security flaws in RS and PRA products have been repeatedly exploited in the past to deploy web shells and backdoors, making it essential for users to apply fixes immediately.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
