BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices.
The vulnerabilities are listed below –
- CVE-2026-40138 (CVSS score: 9.2) – A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access stemming from improper validation of authentication data that could allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges.
- CVE-2026-40139 (CVSS score: 9.2) – A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support stemming from improper processing of authentication requests that could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges.
- CVE-2026-40140 (CVSS score: 8.7) – A pre-authentication vulnerability in the network communication subsystem stemming from insufficient validation of client-supplied input that could allow an unauthenticated remote attacker to trigger a denial-of-service condition, affecting appliance availability.
- CVE-2026-40141 (CVSS score: 8.5) – A vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access stemming from insufficient validation of user-supplied input that could allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope.
It’s worth noting that the successful exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled. In the case of CVE-2026-40141, exploitation, should it occur, is restricted to accounts with specific permissions.
BeyondTrust said all the identified internally as part of ongoing security assessments, with assistance using publicly available artificial intelligence (AI) models like Anthropic Claude Opus 4.8 and its own proprietary research tooling.
“The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations,” it said. “Additional vulnerabilities may allow service disruption, unintended data access, and, under distinct configurations, elevated access by an authenticated user that may impact system integrity.”
The issues have been addressed in the following versions –
- Remote Support RS 25.3.2 or lower (Fixed in RS 25.3.3 and above)
- Privileged Remote Access PRA 25.3.2 or lower (Fixed in PRA 25.3.3 and above)
BeyondTrust makes no mention of the vulnerabilities being exploited in the wild. However, security flaws in RS and PRA products (CVE-2024-12356 and CVE-2026-1731) have come under repeated exploitation in the past to deploy web shells and backdoors, making it essential that users move quickly to apply the fixes.







