VYPR
patchPublished Jul 7, 2026· 3 sources

Critical BeyondTrust Flaws Allow Unauthenticated Access and Privilege Escalation

BeyondTrust has disclosed critical vulnerabilities in its Remote Support and Privileged Remote Access solutions, enabling unauthenticated attackers to bypass access controls and gain elevated privileges.

BeyondTrust has announced the discovery of multiple critical and high-severity vulnerabilities impacting its Remote Support (RS) and Privileged Remote Access (PRA) solutions. The security advisory, BT26-03, details flaws that could allow unauthenticated attackers to bypass access controls and gain unauthorized elevated privileges on sensitive systems. These vulnerabilities carry a maximum CVSS v4 score of 9.2, signaling a severe risk to organizations utilizing these products.

The most critical issues, identified as CVE-2026-40138 and CVE-2026-40139, stem from improper authentication mechanisms. These pre-authentication vulnerabilities, if exploited under specific configuration scenarios, could permit attackers to bypass access controls and gain unauthorized access to the appliance. Successful exploitation might lead to the compromise of accounts with elevated privileges, significantly increasing the potential for a full system breach. CVE-2026-40138 affects both RS and PRA due to improper validation of authentication data, while CVE-2026-40139 specifically impacts RS and is caused by improper processing of authentication requests.

BeyondTrust emphasized that exploitation of these critical flaws does not require any user interaction, making them particularly dangerous for environments with exposed remote access tools. In addition to the two critical vulnerabilities, two high-severity flaws were also disclosed. CVE-2026-40140 is a pre-authentication vulnerability in the network communication subsystem that could lead to a denial-of-service condition, impacting service availability. The second high-severity flaw, CVE-2026-40141, affects a web application component and could allow authenticated users with limited privileges to access unintended resources due to improper input validation.

According to BeyondTrust, customers using their cloud-hosted solutions have already been automatically patched as of April 21, 2026. However, organizations that manage their own self-hosted deployments of Remote Support and Privileged Remote Access are still at risk if they have not yet applied the necessary updates. The vulnerabilities affect versions 25.3.2 and earlier of both RS and PRA.

To mitigate these risks, BeyondTrust strongly advises all customers with self-hosted deployments to apply the April 2026 security rollup patches or upgrade to version 25.3.3 or a later release. These updates are designed to address all the vulnerabilities detailed in the advisory. Security teams are urged to prioritize the patching of these systems, especially if they are accessible from external networks.

The potential for unauthenticated exploitation and privilege escalation makes these vulnerabilities a prime target for attackers. They could be integrated into targeted attacks or broader intrusion campaigns, leading to significant data breaches and operational disruptions if left unaddressed. Organizations should conduct thorough assessments of their BeyondTrust deployments and ensure timely application of security updates.

This new report details three additional critical vulnerabilities affecting BeyondTrust Remote Support and Privileged Remote Access products. Beyond CVE-2026-40138, the article identifies CVE-2026-40139 (CVSS 9.2) and CVE-2026-40140 (CVSS 8.7), alongside a separate flaw CVE-2026-40141 (CVSS 8.5) impacting authenticated users. The vendor states these issues were discovered internally with AI assistance and have been fixed in versions 25.3.3 and above.

BeyondTrust has also released security updates for two high-severity security issues, CVE-2026-40140 and CVE-2026-40141, which could lead to denial-of-service or unauthorized access to restricted resources on unpatched systems. While the vendor did not report active exploitation of these specific flaws prior to patching, past vulnerabilities in BeyondTrust software have been exploited in the wild, including by the Chinese state-backed Silk Typhoon group.

Synthesized by Vypr AI