- Product: BeyondTrust Remote Support
- Vulnerabilities: 4 flaws (CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, CVE-2026-40141)
- Highest severity: 9.2 (Critical · CVSSv4)
- Worst impact: Bypass access controls and gain unauthorized access
- Status: No confirmed exploitation yet; patches available
- Action: Update to 26.2.1, 25.3.3 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-40138 | 9.2 | Critical Pre-Authentication in and Privileged Remote Access | 26.2.1, 25.3.3 | Not exploited |
| CVE-2026-40139 | 9.2 | Critical Pre-Authentication in and Privileged Remote Access | 26.2.1, 25.3.3 | Not exploited |
| CVE-2026-40140 | 8.7 | High-Severity Pre-Authentication in and Privileged Remote Access | 26.2.1, 25.3.3 | Not exploited |
| CVE-2026-40141 | 8.5 | High-Severity In Web Application Component of and Privileged Remote Access | 26.2.1, 25.3.3 | Not exploited |
BeyondTrust disclosed two critical pre-authentication vulnerabilities affecting its Remote Support and Privileged Remote Access products. The vendor discovered these severe flaws internally using AI models like Opus 4.8. Researchers conducted this work independently of Project Glasswing. Currently, no active exploitation or public proof-of-concept code exists.
TL;DR
BeyondTrust Remote Support and Privileged Remote Access contain multiple severe security flaws. The most critical bugs allow an unauthenticated remote attacker to bypass access controls completely. Network-positioned attackers can gain unauthorized appliance access under specific configurations.
Why It Matters
System administrators rely on BeyondTrust appliances to manage highly sensitive environments. A pre-authentication vulnerability in these systems poses a massive security risk to organizations. Attackers can hijack accounts with elevated privileges to breach internal networks. A successful intrusion could lead to unintended data access or severe service disruption. CISOs must address these vulnerabilities to maintain network integrity.
How the Attack Works
The two most critical flaws (CVE-2026-40138 and CVE-2026-40139) share a CVSS v4 score of 9.2. Both stem from improper authentication validation (CWE-287). Attackers send malformed authentication requests over the network. The system processes these requests incorrectly. This failure grants unauthorized access without proper credentials. Exploitation requires a specific authentication configuration to be active.
Additionally, a high-severity bug (CVE-2026-40140) involves insufficient client input validation. This flaw enables unauthenticated remote attackers to trigger uncontrolled resource consumption (CWE-400). Consequently, attackers can cause a widespread denial-of-service condition affecting availability.
Finally, CVE-2026-40141 allows authenticated users to access unintended resources. This high-severity flaw stems from the improper neutralization of special elements in data query logic (CWE-943). Exploitation of this specific flaw restricts itself to accounts with specific permissions.
Affected Versions
These vulnerabilities impact multiple versions of BeyondTrust enterprise software. BeyondTrust Remote Support version 25.3.2 and lower contain these flaws. Privileged Remote Access version 25.3.2 and lower are equally affected.
Patch or Mitigation Steps
The vendor automatically applied patches to all cloud customers on April 21, 2026. Self-hosted customers must take manual action immediately. You should apply the April 2026 Security Rollup patch for your specific version. Alternatively, administrators can upgrade their instances to version 25.3.3 or higher.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.