Last updated: July 8, 2026 at 4:54 AM UTC
All 573 Vulnerability 206 Breach 108 Threat 252 Defense 7
Tag: remote-access (1 article)Clear

Critical BeyondTrust flaws let attackers bypass authentication on remote-access appliances

BeyondTrust has patched two critical flaws in its Remote Support and Privileged Remote Access products that let an unauthenticated, network-positioned attacker bypass authentication and reach the appliance, including accounts with elevated privileges. The bugs, CVE-2026-40138 and CVE-2026-40139, both rated 9.2, sit in the authentication subsystem and depend on a specific authentication configuration being enabled. Cloud-hosted customers were patched automatically in April, but self-hosted deployments on version 25.3.2 or earlier need to update themselves. BeyondTrust has not reported exploitation, but its remote-support products have a history of being attacked, including flaws used to breach the US Treasury and to deploy ransomware, so internet-facing appliances should be patched quickly.

Check
Identify any self-hosted BeyondTrust Remote Support or Privileged Remote Access appliances, confirm their versions, prioritize internet-facing ones, and review whether the specific authentication configuration these flaws require is enabled.
Affected
Self-hosted BeyondTrust Remote Support and Privileged Remote Access appliances on version 25.3.2 or earlier (CVE-2026-40138, CVE-2026-40139); an unauthenticated attacker can bypass authentication and gain access, including to privileged accounts.
Fix
Apply the April security rollup or upgrade to Remote Support and Privileged Remote Access 25.3.3 or later, prioritize internet-facing appliances, and review authentication configurations and logs for unauthorized access.