BeyondTrust patches critical authentication bypass flaws in remote access products

BeyondTrust has issued security updates for its Remote Support (RS) and Privileged Remote Access (PRA) products after discovering two critical vulnerabilities that could let attackers bypass authentic...

BeyondTrust has issued security updates for its Remote Support (RS) and Privileged Remote Access (PRA) products after discovering two critical vulnerabilities that could let attackers bypass authentication and reach protected systems.

The issues, tracked as CVE-2026-40138 and CVE-2026-40139, affect RS and PRA versions 25.3.2 and earlier. According to BeyondTrust, the first flaw is tied to an authentication weakness in the product’s access-control subsystem and could allow an unauthenticated attacker to get around login protections and reach appliance resources, including privileged accounts. The second vulnerability involves how RS authentication requests are handled and may also permit unauthorized remote access.

BeyondTrust said exploitation depends on a particular authentication setup being enabled, though it did not publish the exact conditions. In addition to the two critical bugs, the company also fixed two high-severity issues, CVE-2026-40140 and CVE-2026-40141, which could lead to denial-of-service conditions or unauthorized access to restricted information on unpatched systems.

Patch guidance

The company stated that cloud-hosted RS and PRA customers were already protected by a patch applied on April 21, 2026. Organizations running self-hosted deployments are being urged to install the April security rollup if automatic updates are not enabled, or upgrade to RS 25.3.3 or later and PRA 25.3.3 or later.

Shadowserver currently tracks close to 2,000 BeyondTrust RS and PRA instances exposed on the public internet. It is not clear how many of those systems are honeypots, already patched, or still vulnerable.

Why the findings matter

BeyondTrust’s remote access products are used to manage sensitive environments, so flaws that weaken authentication can have serious consequences. The company noted that the most severe bugs may allow an external attacker to gain access under specific configurations, while the additional issues may enable service disruption, unintended data exposure, or elevated access by authenticated users.

BeyondTrust did not say these newly disclosed vulnerabilities were being exploited before the patches were released. However, the company’s remote support software has been targeted in previous attacks, underscoring the need for administrators to apply updates quickly and review exposed instances for signs of compromise.