LIVE · cybersecurity feed
beyondtrustcritical

BeyondTrust warns of critical flaws in remote access software

zeroday.news·1d ago

BeyondTrust has issued a warning to its customers regarding two critical security vulnerabilities discovered in its Remote Support (RS) and Privileged Remote Access (PRA) software. These flaws could potentially allow attackers to bypass authentication mechanisms and gain unauthorized access to affected systems.

The first vulnerability, identified as CVE-2026-40138, impacts both Remote Support and Privileged Remote Access versions 25.3.2 and earlier. This issue resides within the authentication subsystem and is described as an improper authentication weakness. Successful exploitation of this flaw could enable an attacker without prior privileges to circumvent access controls and compromise targeted appliances, including those with elevated user accounts.

The second critical vulnerability, CVE-2026-40139, also affects the same versions of BeyondTrust's software. This flaw arises from the improper processing of authentication requests within the Remote Support component. It could permit unauthenticated remote attackers to achieve unauthorized access to vulnerable instances. BeyondTrust has indicated that both of these critical vulnerabilities require a specific authentication configuration to be enabled for successful exploitation, though further details on this configuration were not provided.

In addition to the critical vulnerabilities, BeyondTrust has also addressed two high-severity security issues, tracked as CVE-2026-40140 and CVE-2026-40141. These flaws, if exploited, could lead to denial-of-service conditions or unauthorized access to restricted resources on unpatched RS and PRA instances.

BeyondTrust stated that the most severe vulnerabilities could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Other vulnerabilities may result in service disruption, unintended data access, and, under distinct configurations, elevated access for authenticated users, potentially impacting system integrity.

For cloud-based customers, BeyondTrust confirmed that a patch was applied to all RS/PRA cloud instances as of April 21, 2026. Customers hosting their own instances are advised to apply the April security rollup patch for the affected version if their systems are not configured for automatic updates. Alternatively, they should upgrade to RS version 25.3.3 or later, or PRA version 25.3.3 or later.

Internet security watchdog group Shadowserver is currently monitoring nearly 2,000 BeyondTrust RS and PRA instances accessible online. However, the exact number of these instances that are potentially vulnerable or have already been patched remains unclear, as some may be honeypots.

While BeyondTrust has not disclosed any instances of these specific vulnerabilities being actively exploited in attacks prior to the release of patches, the company's remote support software has been a target in the past. Notably, a critical pre-authentication remote code execution vulnerability in Remote Support and Privileged Remote Access appliances (CVE-2026-1731) was previously exploited to establish WebSocket channels and deploy ransomware.

Past security incidents involving BeyondTrust software have also been linked to sophisticated cyberespionage operations. For example, the U.S. Treasury Department reported a network breach attributed to the Chinese state-backed Silk Typhoon group, which is believed to have exploited two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust systems. This breach allowed the group to use a stolen API key to compromise multiple Remote Support SaaS instances, including those belonging to the Treasury, the Committee on Foreign Investment in the United States (CFIUS), and the Office of Foreign Assets Control (OFAC).

beyondtrustremote supportprivileged remote accessvulnerabilityauthentication bypass
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 4h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.