BeyondTrust Issues Fixes for Critical Auth Bypass Bugs in Remote Support and PRA
BeyondTrust has released security updates for two of its remote access products after finding critical flaws that could let attackers bypass authentication and gain unauthorized access under certain c...
BeyondTrust has released security updates for two of its remote access products after finding critical flaws that could let attackers bypass authentication and gain unauthorized access under certain conditions.
The issues affect BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). According to the company, the most serious bugs could enable a network-based attacker to get into an appliance without valid credentials, including access to accounts with elevated privileges. Another flaw can cause a denial-of-service condition, while a separate issue may let a limited-privilege user reach data or functions outside their intended permissions.
Tracked vulnerabilities
- CVE-2026-40138 - A pre-authentication authentication bypass in RS and PRA with a CVSS score of 9.2.
- CVE-2026-40139 - A similar pre-authentication bypass in RS, also rated 9.2.
- CVE-2026-40140 - A pre-authentication flaw that could be used to disrupt service, rated 8.7.
- CVE-2026-40141 - An input-validation issue in a web application component that may allow unauthorized access to resources, rated 8.5.
BeyondTrust said the most severe vulnerabilities depend on a particular authentication setting being enabled. The access-control issue tied to CVE-2026-40141 is also limited to accounts with specific permissions.
All four weaknesses were found internally as part of the company’s security review process. BeyondTrust said it used its own research tools along with publicly available AI models during the assessment.
The vendor has fixed the problems in:
- Remote Support RS 25.3.3 and later
- Privileged Remote Access PRA 25.3.3 and later
There is no indication that the flaws are being actively exploited at this time. Even so, BeyondTrust customers are being urged to patch quickly, especially given the history of past attacks targeting RS and PRA products for web shell and backdoor deployment.
