TL;DR
- what: BeyondTrust patched four flaws in Remote Support and Privileged Remote Access, including two CVSS 9.2 pre-authentication bypasses (CVE-2026-40138, CVE-2026-40139).
- impact: Under specific auth configurations, an unauthenticated network-positioned attacker can bypass access controls and take over appliance accounts with elevated privileges.
- fix: Upgrade to Remote Support RS 25.3.3+ and Privileged Remote Access PRA 25.3.3+; versions 25.3.2 and lower are vulnerable.
- who: Any organization running BeyondTrust RS or PRA appliances 25.3.2 or below, especially internet-facing deployments.
BeyondTrust has patched four vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products, two of them rated CVSS 9.2. Both top-severity bugs are pre-authentication auth bypasses: an attacker with network access and no credentials can defeat access controls and land on the appliance in an account that includes elevated privileges. The fixes ship in RS 25.3.3 and PRA 25.3.3. Anything 25.3.2 or lower is exposed.
These are the products that broker privileged remote sessions into your environment. A compromised RS or PRA appliance is not a foothold on some isolated box, it is a position that sits above the credentials and sessions used to administer other systems. That is why prior flaws in this product line have been chained into web shell and backdoor deployments in the wild.
The four CVEs
- CVE-2026-40138 (CVSS 9.2): Pre-auth flaw in the authentication subsystem of RS and PRA from improper validation of authentication data. A network-positioned attacker can bypass access controls and reach accounts with elevated privileges.
- CVE-2026-40139 (CVSS 9.2): Pre-auth flaw in the RS authentication subsystem from improper processing of authentication requests. An unauthenticated remote attacker can bypass access controls and reach elevated accounts.
- CVE-2026-40140 (CVSS 8.7): Pre-auth flaw in the network communication subsystem from insufficient validation of client-supplied input, allowing an unauthenticated remote attacker to trigger a denial-of-service and knock the appliance offline.
- CVE-2026-40141 (CVSS 8.5): Web application flaw in RS and PRA from insufficient input validation, letting an authenticated low-privilege user reach resources or data beyond their authorization scope.
The configuration caveats that matter
Read the fine print before you assume you are safe. Exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled. CVE-2026-40141 is restricted to accounts holding specific permissions. That narrows the blast radius for some deployments, but it does not change the response: you cannot audit every appliance's config faster than you can push the patch, and the config that makes you vulnerable is a common one for organizations using federated or SSO-style authentication. Treat all four as reachable until you have upgraded.
⚠️ Patch now, do not wait for exploitation reports — BeyondTrust reports no in-the-wild exploitation of these four CVEs. That is cold comfort. Two earlier RS/PRA flaws, CVE-2024-12356 and CVE-2026-1731, came under repeated exploitation and were used to drop web shells and backdoors. Pre-auth bypasses on privileged-access appliances are exactly the class of bug attackers reverse-engineer from patches within days.
How these were found
BeyondTrust says it identified all four internally during ongoing security assessments, with help from publicly available AI models, naming Anthropic's Claude Opus 4.8, alongside its own proprietary research tooling. That is a notable data point on both sides of the fence: vendors are now using frontier models to surface vulnerability classes at scale, and so are the people who will race to weaponize the patch diff. The finding pipeline is getting faster for everyone, which compresses your window to act.
What to do
- Inventory every RS and PRA appliance and confirm its version. Anything at 25.3.2 or below is in scope.
- Upgrade to RS 25.3.3 / PRA 25.3.3 or later. Cloud-hosted instances are typically updated by BeyondTrust; verify yours has moved to a fixed build.
- Prioritize internet-facing and network-reachable appliances first, since the 9.2 bugs require only network position.
- Review whether the authentication configuration that gates CVE-2026-40138/40139 is enabled, but do not let that assessment delay the upgrade.
- Hunt for prior compromise. Check for unexpected web shells, new backdoors, and anomalous admin sessions, given the history of this product line being backdoored post-exploitation.
Bottom line
Two unauthenticated paths to a privileged account on the appliance that governs your privileged access. That is the worst possible place to carry a 9.2. No public exploitation yet, but the patch is out, the bug class is well understood, and the historical pattern for RS and PRA is repeated real-world abuse. Move to 25.3.3 this week, then verify you were not already touched.
Originally published on RedEye Threat Intelligence.
Top comments (0)