vulnerability

BeyondTrust auth bypass flaws put remote support appliances on the urgent patch list

Lucas OliveiraLucas OliveiraResearch
July 13, 2026·8 min read
BeyondTrust auth bypass flaws put remote support appliances on the urgent patch list

BeyondTrust has disclosed four vulnerabilities in its Remote Support and Privileged Remote Access products, including two critical pre-authentication flaws that can let attackers bypass access controls under specific authentication configurations.

The critical issues are tracked as CVE-2026-40138 and CVE-2026-40139. Both carry a CVSS v4 score of 9.2 in BeyondTrust's advisory and both sit in the authentication subsystem. That placement matters. Remote support and privileged access appliances are not ordinary web apps; they are systems administrators use to reach workstations, servers, vendor access paths, and sensitive internal environments.

BeyondTrust says the flaws were found internally, fixed before public disclosure, and not known to have been exploited before remediation. That is good news. It does not make the patch optional. Pre-authentication authentication failures in remote administration products have a short path from advisory to attacker interest, especially when the affected systems are self-hosted and reachable from broad networks.

What BeyondTrust fixed

The vendor advisory, BT26-03, covers four CVEs:

  • CVE-2026-40138, a critical improper-authentication issue affecting Remote Support and Privileged Remote Access
  • CVE-2026-40139, a critical improper-authentication issue affecting Remote Support
  • CVE-2026-40140, a high-severity pre-authentication denial-of-service issue in the network communication subsystem
  • CVE-2026-40141, a high-severity authorization issue in a web application component

The two critical flaws are the operational priority. CVE-2026-40138 stems from improper validation of authentication data. CVE-2026-40139 stems from improper processing of authentication requests. In both cases, successful exploitation can allow an unauthenticated or network-positioned attacker to gain unauthorized access to the appliance, including access to elevated accounts, when a specific authentication configuration is enabled.

That condition is important. The advisory does not say every BeyondTrust appliance is instantly compromised. It says the risky path depends on configuration. But defenders should verify that condition, not assume they are outside it.

A remote support appliance is a control plane

Remote Support and Privileged Remote Access are built to solve real operational problems: help desks need to support users, administrators need controlled access to systems, and third parties often need audited entry points into internal environments.

That also makes the appliances high-value targets. If an attacker gains access to the appliance, the next question is not simply "which web account was opened?" It is "what can that account reach?"

Depending on deployment and permissions, compromise can expose:

  • remote support sessions
  • privileged access workflows
  • administrative accounts
  • vendor access paths
  • session recordings and audit data
  • internal hostnames and inventory
  • credentials, tokens, or secrets used by integrations
  • pathways into servers, workstations, and management networks

This is why an authentication bypass in a remote access product deserves a different response than a normal business-application bug. It can become an account takeover event inside a privileged operations layer.

Cloud customers and self-hosted customers have different work

BeyondTrust says the patch was applied to all Remote Support and Privileged Remote Access cloud customers as of April 21, 2026. For cloud tenants, the immediate question is still worth asking, but the remediation is already handled by the provider.

Self-hosted customers have more work. BeyondTrust says self-hosted customers should apply the April security rollup patch for the affected version if the instance is not subscribed to automatic updates, or upgrade to fixed versions:

  • Remote Support 25.3.3 and above
  • Privileged Remote Access 25.3.3 and above

The affected-version table in the advisory lists Remote Support 25.3.2 or lower and Privileged Remote Access 25.3.2 or lower. NVD entries for the critical flaws also show affected ranges below fixed 25.x and 26.x boundaries, so teams should compare their exact branch against vendor guidance rather than relying on a single major-version assumption.

For practical purposes, asset owners should answer three questions immediately:

  1. Do we run self-hosted BeyondTrust Remote Support or Privileged Remote Access?
  2. Are any appliances at or below the affected versions?
  3. Are the appliances reachable from the internet, partner networks, VPN users, or broad internal segments?

The more exposed the appliance, the higher the priority.

No known exploitation is not a reason to wait

BeyondTrust states that the issues were found through internal research and fixed before any known exploitation. CISA's SSVC enrichment in NVD also marks exploitation as "none" for the two critical CVEs at the time of publication.

That is the calm part of the story. The uncomfortable part is the product category.

Remote access appliances have been heavily targeted in recent years because they offer direct operational leverage. The same BeyondTrust product family has previously appeared in urgent patch cycles, including earlier command-injection vulnerabilities that drew active attacker interest. The pattern is familiar across edge products, VPNs, RMM tools, identity gateways, and privileged access systems: once a pre-authentication bug is public, defenders lose time quickly.

This does not mean teams should invent exploitation claims that are not supported by the advisory. It means they should treat the patch as urgent because the affected system is a privileged control plane.

What defenders should do now

Start with inventory. Find all BeyondTrust Remote Support and Privileged Remote Access appliances, including production, disaster recovery, lab, old vendor-access systems, and instances behind reverse proxies or access gateways.

Then verify versions and update status. For self-hosted systems, apply the relevant April security rollup or upgrade to Remote Support 25.3.3 or later and Privileged Remote Access 25.3.3 or later. Confirm the running build after the update, not only the package or appliance-management screen before reboot.

Next, review authentication configuration. The two critical vulnerabilities depend on specific authentication configurations. Confirm which identity providers, SSO settings, external authentication methods, and privileged account mappings are enabled. If a configuration is no longer needed, remove it rather than leaving it as a forgotten compatibility setting.

Restrict reachability. Remote support appliances often need to be reachable by users, vendors, or support staff, but that does not mean every interface should be reachable by everyone. Put administrative surfaces behind strong access controls. Limit appliance access to expected networks, enforce MFA where supported, and remove direct internet exposure where a stronger access pattern is available.

Finally, review telemetry. Even with no confirmed exploitation, any appliance that was exposed and vulnerable deserves a focused incident response check. Look for unusual authentication attempts, new users, changed roles, modified SSO settings, unexpected vendor sessions, new jump policies, odd session times, and access from unfamiliar networks.

What to check if exposure was high

If a BeyondTrust appliance was internet-facing or broadly reachable while vulnerable, treat the review as more than a patch ticket.

Useful checks include:

  • newly created or modified administrative users
  • changes to authentication providers, SAML/OIDC settings, or local login policy
  • unexpected privileged sessions or remote support sessions
  • suspicious session recordings, file transfers, command activity, or endpoint connections
  • policy changes that expand access to servers or privileged accounts
  • new API keys, integration changes, or automation accounts
  • outbound connections from the appliance to unfamiliar infrastructure
  • logs showing malformed authentication requests or unusual authentication errors

If suspicious activity appears, move quickly to containment. Preserve logs, rotate credentials tied to the appliance, review privileged accounts that could have been reached through it, and validate downstream systems for lateral movement.

Why configuration-aware exposure matters

The core defender lesson is not only "patch BeyondTrust." It is that privileged access products need configuration-aware exposure management.

Many organizations can list software versions. Fewer can quickly answer which remote support appliances are self-hosted, which authentication modes are enabled, which networks can reach them, which vendors use them, and which systems they can touch after login. That missing context is where risk hides.

For this advisory, the highest-risk environment is not just "has BeyondTrust." It is self-hosted BeyondTrust, affected version, relevant authentication configuration, and attacker-reachable network path. Security teams that can combine those four pieces can prioritize confidently. Teams that cannot should assume they need to investigate until the picture is clear.

The bigger takeaway

Remote support and privileged access systems are part of the security boundary. They deserve the same urgency as VPNs, identity providers, and internet-facing management consoles.

CVE-2026-40138 and CVE-2026-40139 are not reported as exploited today, but they are critical vulnerabilities in the part of the stack that decides who can reach privileged systems. That is enough to justify fast patching, configuration review, exposure reduction, and a short compromise assessment for exposed self-hosted appliances.

The smart response is measured but immediate: update, verify, restrict, and review.

What are CVE-2026-40138 and CVE-2026-40139?

They are critical pre-authentication improper-authentication vulnerabilities in BeyondTrust Remote Support and Privileged Remote Access products. Successful exploitation can bypass appliance access controls under specific authentication configurations.

Are the BeyondTrust flaws being exploited?

BeyondTrust says it has no evidence that these issues were exploited or known outside the company before remediation. NVD's CISA enrichment also marks exploitation as none at the time of publication.

Which versions should self-hosted customers move to?

BeyondTrust says self-hosted customers should apply the April security rollup for the affected version or upgrade to Remote Support 25.3.3 and above or Privileged Remote Access 25.3.3 and above.

Why is this urgent if there is no known exploitation?

Because Remote Support and Privileged Remote Access appliances can provide access to sensitive systems. Pre-authentication bugs in remote administration control planes are high-value targets once disclosed.

References

  1. BT26-03
  2. CVE-2026-40138 Detail
  3. CVE-2026-40139 Detail
  4. BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA
  5. How to find BeyondTrust appliances on your network
  6. Critical Vulnerabilities in BeyondTrust Remote Support and Privileged Remote Access (CVE-2026-40138, CVE-2026-40139)

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.