Published on July 7, 2026

Critical BeyondTrust Authentication Vulnerabilities Affect Remote Support (RS) and Privileged Remote Access (PRA) Appliances


Severity

Critical

Detail

BeyondTrust has disclosed multiple vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) appliances. The vulnerabilities, tracked under advisory BT26-03, include critical and high-severity flaws that could lead to authentication bypass, denial-of-service (DoS), and unauthorized access to sensitive data.

The most critical vulnerabilities affect the authentication mechanism and have a maximum CVSS v4 score of 9.2 (Critical). Improper validation and processing of authentication data could allow unauthenticated attackers to bypass authentication controls and gain unauthorized access to affected appliances. In certain configurations, successful exploitation may result in the compromise of privileged accounts, increasing the risk of lateral movement and broader enterprise compromise.

According to BeyondTrust, exploitation of the authentication bypass vulnerabilities requires specific authentication configurations to be enabled but does not require user interaction, making internet-facing appliances attractive targets for remote attacks.

Additional vulnerabilities may allow attackers to trigger denial-of-service (DoS) conditions through uncontrolled resource consumption or enable authenticated users with limited privileges to access unauthorized data due to improper input validation within web application components.

BeyondTrust has confirmed that cloud-hosted deployments were automatically patched on April 21, 2026. However, self-hosted deployments remain vulnerable if security updates have not been applied.

CVE IDSummaryCVSS Score
CVE-2026-40138A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access.9.2 (Critical)
CVE-2026-40139A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support.9.2 (Critical)
CVE-2026-40140BeyondTrust Remote Support and Privileged Remote Access contain a high-severity pre-authentication vulnerability in the network communication subsystem.8.7 (High)
CVE-2026-40141A high-severity vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access related to the processing of certain input parameters.8.5 (High)

Affected Products

The vulnerabilities affect the following BeyondTrust products:

  • BeyondTrust Remote Support (RS) versions 25.3.2 and earlier
  • BeyondTrust Privileged Remote Access (PRA) versions 25.3.2 and earlier

Recommendation

Organizations using affected BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) appliances are advised to apply the April 2026 security rollup patches or upgrade to version 25.3.3 or later. Organizations should also review their authentication configurations to reduce the risk of exploitation, particularly for internet-facing deployments.


Source

https://gbhackers.com/critical-beyondtrust-authentication-flaws/

https://www.beyondtrust.com/trust-center/security-advisories/bt26-03