BeyondTrust Patches Four Auth Bypass Flaws in Remote Support
CVE-2026-40138 and CVE-2026-40139 (CVSS 9.2) enable pre-auth bypass in BeyondTrust Remote Support and PRA. Flaws found using Claude AI during internal audit.
BeyondTrust released patches Monday for four critical vulnerabilities in its Remote Support and Privileged Remote Access products, including two pre-authentication bypass flaws that could allow attackers to gain unauthorized access without valid credentials.
The most severe issues, CVE-2026-40138 and CVE-2026-40139, both carry CVSS scores of 9.2. They affect the authentication subsystem and request processing components respectively, enabling attackers to bypass authentication entirely under specific configurations.
The Vulnerability Details
| CVE | CVSS | Impact |
|---|---|---|
| CVE-2026-40138 | 9.2 | Pre-authentication bypass in authentication subsystem |
| CVE-2026-40139 | 9.2 | Pre-authentication bypass in RS authentication request processing |
| CVE-2026-40140 | 8.7 | Denial-of-service in network communication subsystem |
| CVE-2026-40141 | 8.5 | Privilege escalation in web application component |
BeyondTrust noted that "successful exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled." The company didn't specify which configuration, likely to avoid providing a roadmap for attackers.
What's Affected
Both Remote Support (RS) and Privileged Remote Access (PRA) versions 25.3.2 and earlier are vulnerable. Organizations should update to version 25.3.3 or later immediately.
These products are enterprise staples for IT helpdesks and privileged access management. They're deployed to provide remote support to end users and manage access to critical systems. A compromise could give attackers the same elevated access that legitimate administrators use.
Discovery Method Stands Out
The vulnerabilities were identified through internal security assessments using AI tools—specifically Anthropic's Claude Opus 4.8. BeyondTrust appears to be among the first major enterprise vendors to publicly credit AI-assisted vulnerability discovery in their own products.
This approach mirrors what we're seeing across the industry. OpenSSL recently patched a high-severity flaw discovered through similar AI-assisted research, and Adobe has cited accelerated AI-powered vulnerability discovery as the reason for moving to twice-monthly security bulletins.
No Active Exploitation — But History Repeats
BeyondTrust hasn't observed exploitation in the wild for these new CVEs. But that's cold comfort given the company's recent track record.
Earlier this year, CVE-2026-1731—a critical RCE flaw in the same products—was weaponized within 24 hours of public PoC availability. Attackers deployed VShell and SparkRAT payloads through compromised instances. Even earlier, CVE-2024-12356 was used to establish backdoors and web shells across multiple victim networks.
Remote access tools are high-value targets precisely because they're designed to provide privileged access. Attackers who compromise them inherit legitimate-looking access that's harder to distinguish from normal administrative activity.
Immediate Remediation Steps
Organizations running BeyondTrust Remote Support or PRA should:
- Update to version 25.3.3+ immediately
- Review authentication configurations — understand which settings are enabled
- Audit access logs for unusual authentication patterns or failed login attempts
- Monitor for IOCs from prior BeyondTrust exploitation campaigns
- Verify no unauthorized sessions exist in active connection logs
If patching requires a maintenance window, consider temporarily restricting external access to management interfaces.
The Bigger Picture
Remote access and privileged access management tools have become a favorite target class in 2026. SimpleHelp's CVE-2026-48558 enabled MSP supply chain attacks. ConnectWise ScreenConnect vulnerabilities led to ransomware deployments.
The pattern is consistent: these tools are trusted implicitly by endpoint security solutions, have broad network access, and often connect to the most sensitive systems. A single vulnerability becomes a master key.
For security teams, the lesson is uncomfortable but clear: the tools meant to enable secure remote work are themselves attack surfaces. Defense in depth—network segmentation, behavioral monitoring, and session recording—becomes essential to catch compromise even when the access looks legitimate.
What to Watch
Expect PoC development efforts to begin once researchers reverse-engineer the patches. The 24-hour window between PoC release and active exploitation that we saw with CVE-2026-1731 suggests organizations have very little time to react once technical details emerge.
CISA hasn't yet added these CVEs to the KEV catalog, but given BeyondTrust's track record, that addition seems likely if exploitation begins.
Related Articles
Oracle E-Business CVE-2026-46817 Under Active Attack—CVSS 9.8
Critical authentication bypass in Oracle Payments (CVE-2026-46817) is being actively exploited. Over 900 vulnerable instances exposed online, with attackers achieving system takeover via unauthenticated HTTP requests.
Jul 6, 2026Fortra PAM Flaw Lets Attackers Run Commands Without Auth
CVE-2026-9862 (CVSS 9.8) in Fortra Core Privileged Access Manager (BoKS) enables unauthenticated command injection via the autoregistration service. Restrict port 6507 access immediately.
Jun 26, 2026Palo Alto GlobalProtect Auth Bypass Under Active Attack — CISA KEV
CVE-2026-0257 lets attackers forge VPN cookies to access internal networks without credentials. CISA adds to KEV after Rapid7 confirms exploitation since May 17. Federal deadline June 19.
May 30, 2026Cisco SD-WAN CVSS 10 Flaw Under Active Attack — Patch Now
CVE-2026-20182 lets unauthenticated attackers gain admin access to Cisco Catalyst SD-WAN controllers. CISA adds to KEV with federal deadline. Here's what you need to know.
May 29, 2026