Executive Summary

    On July 6th, 2026, BeyondTrust disclosed two critical authentication bypass vulnerabilities in its Remote Support and Privileged Remote Access products. Tracked as CVE-2026-40138 and CVE-2026-40139, the flaws let a network-positioned, unauthenticated attacker defeat access controls and reach accounts with elevated privileges, provided a specific authentication configuration is enabled. The two are independent flaws in the same authentication subsystem that share a disclosure rather than chaining together, and BeyondTrust has released fixes for both.

    Remote Support and Privileged Remote Access are appliances organizations use to manage remote sessions and control privileged access into sensitive internal environments. The exploitation of this vulnerability grants them an account with elevated privileges, making a pre-authentication bypass on an internet-reachable management appliance a high value target. This access can be used to pivot into the systems the appliance was built to protect. BeyondTrust identified both issues internally and shipped patches before any public disclosure.

    Neither vulnerability has been observed under active exploitation, and no public proof-of-concept code exists at the time of writing. However, pre-authentication bypasses in internet-facing management appliances are routinely weaponized soon after disclosure. Beazley Security recommends affected organizations apply available fixes as soon as possible.

    Affected Systems or Products

    Product

    Affected Versions

    BeyondTrust Privileged Remote Access

    25.3.2 and earlier

    BeyondTrust Remote Support

    25.3.2 and earlier

    Mitigations / Workarounds

    A single upgrade remediates both vulnerabilities. Upgrade Remote Support and Privileged Remote Access beyond the affected versions above. Self-hosted customers should apply the April 2026 Security Rollup patch for their version, or upgrade to a fixed release. Cloud-hosted instances were updated automatically by BeyondTrust and require no customer action.

    Until the update can be applied, self-hosted operators can reduce exposure by limiting access to internet-facing appliances so that they are reachable only from trusted and administrative networks.

    Patches

    BeyondTrust has released fixes for both vulnerabilities. Cloud-hosted customers were patched automatically on April 21st, 2026. Self-hosted customers must act manually by applying the April 2026 Security Rollup or upgrading to version 25.3.3, available through BeyondTrust's security advisory.

    Technical Details

    Both vulnerabilities are improper authentication issues (CWE-287) in the authentication subsystem shared by Remote Support and Privileged Remote Access tools. CVE-2026-40138 stems from improper validation of authentication data, while CVE-2026-40139 stems from improper processing of authentication requests. In each case, the appliance mishandles a malformed authentication request over the network. This can grant access without valid credentials to accounts with elevated privileges. Both require a specific authentication configuration to be enabled before they can be triggered, which narrows the exposed devices to the ones running that configuration. Unfortunately, the specific configuration details have not been disclosed from BeyondTrust in their advisory at the time of publication.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.