Critical BeyondTrust flaws let attackers bypass authentication on remote-access appliances
BeyondTrust has patched two critical flaws in its Remote Support and Privileged Remote Access products that let an unauthenticated, network-positioned attacker bypass authentication and reach the appliance, including accounts with elevated privileges. The bugs, CVE-2026-40138 and CVE-2026-40139, both rated 9.2, sit in the authentication subsystem and depend on a specific authentication configuration being enabled. Cloud-hosted customers were patched automatically in April, but self-hosted deployments on version 25.3.2 or earlier need to update themselves. BeyondTrust has not reported exploitation, but its remote-support products have a history of being attacked, including flaws used to breach the US Treasury and to deploy ransomware, so internet-facing appliances should be patched quickly.
- Check
- Identify any self-hosted BeyondTrust Remote Support or Privileged Remote Access appliances, confirm their versions, prioritize internet-facing ones, and review whether the specific authentication configuration these flaws require is enabled.
- Affected
- Self-hosted BeyondTrust Remote Support and Privileged Remote Access appliances on version 25.3.2 or earlier (CVE-2026-40138, CVE-2026-40139); an unauthenticated attacker can bypass authentication and gain access, including to privileged accounts.
- Fix
- Apply the April security rollup or upgrade to Remote Support and Privileged Remote Access 25.3.3 or later, prioritize internet-facing appliances, and review authentication configurations and logs for unauthorized access.