BeyondTrust Warns of Critical Vulnerabilities in Remote Access Software
BeyondTrust has issued an urgent notice regarding two critical security flaws impacting its Remote Support (RS) and Privileged Remote Access (PRA) software, which could enable unauthorized access to systems.
Critical Vulnerabilities in Remote Access Solutions
BeyondTrust has issued an urgent notice regarding two critical security flaws impacting its Remote Support (RS) and Privileged Remote Access (PRA) software, which could enable unauthorized access to systems. The first vulnerability, designated CVE-2026-40138, affects RS versions 25.3.2 and earlier, as well as PRA versions 25.3.2 and earlier. This flaw arises from a flaw in the authentication subsystem, allowing attackers without prior privileges to circumvent access controls and gain access to systems with elevated permissions. The second vulnerability, CVE-2026-40139, involves improper handling of authentication requests within RS, granting unauthenticated users the ability to access vulnerable systems. Both issues require specific authentication configurations to be active for exploitation, though details about these conditions remain undisclosed.
CVE-2026-40138 and CVE-2026-40139
The first vulnerability, designated CVE-2026-40138, affects RS versions 25.3.2 and earlier, as well as PRA versions 25.3.2 and earlier. This flaw arises from a flaw in the authentication subsystem, allowing attackers without prior privileges to circumvent access controls and gain access to systems with elevated permissions. The second vulnerability, CVE-2026-40139, involves improper handling of authentication requests within RS, granting unauthenticated users the ability to access vulnerable systems. Both issues require specific authentication configurations to be active for exploitation, though details about these conditions remain undisclosed.
High-Severity Issues and Patching
BeyondTrust also addressed two high-severity issues, CVE-2026-40140 and CVE-2026-40141, which could lead to denial-of-service scenarios or unauthorized access to restricted resources on unpatched RS and PRA systems. The company emphasized that the most severe vulnerabilities could allow unauthenticated attackers to bypass protections under certain configurations, while other flaws might result in service disruptions or unintended data exposure. A patch was deployed for all cloud-based RS/PRA customers by April 21, 2026, with self-hosted users advised to apply the April security update for affected versions.
Shadowserver’s Findings and Past Incidents
Shadowserver, an independent security monitoring group, has identified nearly 2,000 RS and PRA instances exposed online, though it has not confirmed how many are honeypots or already secured against these flaws. The vulnerabilities have drawn attention due to their potential for exploitation, particularly following past incidents involving similar flaws. For example, a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) was previously used to establish WebSocket connections and deploy ransomware. Additionally, BeyondTrust flaws have been linked to attacks on U.S. government agencies. Two years ago, the U.S. Treasury Department disclosed a breach tied to the Chinese state-sponsored Silk Typhoon group, which exploited two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) to compromise 17 Remote Support SaaS instances, including the Treasury’s system. The group also targeted the Committee on Foreign Investment in the United States and the Office of Foreign Assets Control.
Security teams report that 54% of successful attacks go undetected, with only 14% triggering alerts. Tools like breach and attack simulation can test detection systems to identify gaps. Organizations are urged to verify their defenses against emerging threats.
