PROBABLYPWNED
VulnerabilitiesJuly 8, 20264 min read

BeyondTrust Patches Four Auth Bypass Flaws in Remote Support

CVE-2026-40138 and CVE-2026-40139 (CVSS 9.2) enable pre-auth bypass in BeyondTrust Remote Support and PRA. Flaws found using Claude AI during internal audit.

Marcus Chen

BeyondTrust released patches Monday for four critical vulnerabilities in its Remote Support and Privileged Remote Access products, including two pre-authentication bypass flaws that could allow attackers to gain unauthorized access without valid credentials.

The most severe issues, CVE-2026-40138 and CVE-2026-40139, both carry CVSS scores of 9.2. They affect the authentication subsystem and request processing components respectively, enabling attackers to bypass authentication entirely under specific configurations.

The Vulnerability Details

CVECVSSImpact
CVE-2026-401389.2Pre-authentication bypass in authentication subsystem
CVE-2026-401399.2Pre-authentication bypass in RS authentication request processing
CVE-2026-401408.7Denial-of-service in network communication subsystem
CVE-2026-401418.5Privilege escalation in web application component

BeyondTrust noted that "successful exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled." The company didn't specify which configuration, likely to avoid providing a roadmap for attackers.

What's Affected

Both Remote Support (RS) and Privileged Remote Access (PRA) versions 25.3.2 and earlier are vulnerable. Organizations should update to version 25.3.3 or later immediately.

These products are enterprise staples for IT helpdesks and privileged access management. They're deployed to provide remote support to end users and manage access to critical systems. A compromise could give attackers the same elevated access that legitimate administrators use.

Discovery Method Stands Out

The vulnerabilities were identified through internal security assessments using AI tools—specifically Anthropic's Claude Opus 4.8. BeyondTrust appears to be among the first major enterprise vendors to publicly credit AI-assisted vulnerability discovery in their own products.

This approach mirrors what we're seeing across the industry. OpenSSL recently patched a high-severity flaw discovered through similar AI-assisted research, and Adobe has cited accelerated AI-powered vulnerability discovery as the reason for moving to twice-monthly security bulletins.

No Active Exploitation — But History Repeats

BeyondTrust hasn't observed exploitation in the wild for these new CVEs. But that's cold comfort given the company's recent track record.

Earlier this year, CVE-2026-1731—a critical RCE flaw in the same products—was weaponized within 24 hours of public PoC availability. Attackers deployed VShell and SparkRAT payloads through compromised instances. Even earlier, CVE-2024-12356 was used to establish backdoors and web shells across multiple victim networks.

Remote access tools are high-value targets precisely because they're designed to provide privileged access. Attackers who compromise them inherit legitimate-looking access that's harder to distinguish from normal administrative activity.

Immediate Remediation Steps

Organizations running BeyondTrust Remote Support or PRA should:

  1. Update to version 25.3.3+ immediately
  2. Review authentication configurations — understand which settings are enabled
  3. Audit access logs for unusual authentication patterns or failed login attempts
  4. Monitor for IOCs from prior BeyondTrust exploitation campaigns
  5. Verify no unauthorized sessions exist in active connection logs

If patching requires a maintenance window, consider temporarily restricting external access to management interfaces.

The Bigger Picture

Remote access and privileged access management tools have become a favorite target class in 2026. SimpleHelp's CVE-2026-48558 enabled MSP supply chain attacks. ConnectWise ScreenConnect vulnerabilities led to ransomware deployments.

The pattern is consistent: these tools are trusted implicitly by endpoint security solutions, have broad network access, and often connect to the most sensitive systems. A single vulnerability becomes a master key.

For security teams, the lesson is uncomfortable but clear: the tools meant to enable secure remote work are themselves attack surfaces. Defense in depth—network segmentation, behavioral monitoring, and session recording—becomes essential to catch compromise even when the access looks legitimate.

What to Watch

Expect PoC development efforts to begin once researchers reverse-engineer the patches. The 24-hour window between PoC release and active exploitation that we saw with CVE-2026-1731 suggests organizations have very little time to react once technical details emerge.

CISA hasn't yet added these CVEs to the KEV catalog, but given BeyondTrust's track record, that addition seems likely if exploitation begins.

Related Articles