BeyondTrust warns of critical flaws in remote access software

BeyondTrust has issued a warning to its customers regarding two critical security vulnerabilities discovered in its Remote Support (RS) and Privileged Remote Access (PRA) software. These flaws could potentially allow attackers to bypass authentication mechanisms and gain unauthorized access to affected systems.
The first vulnerability, identified as CVE-2026-40138, impacts both Remote Support and Privileged Remote Access versions 25.3.2 and earlier. This issue resides within the authentication subsystem and is described as an improper authentication weakness. Successful exploitation of this flaw could enable an attacker without prior privileges to circumvent access controls and compromise targeted appliances, including those with elevated user accounts.
The second critical vulnerability, CVE-2026-40139, also affects the same versions of BeyondTrust's software. This flaw arises from the improper processing of authentication requests within the Remote Support component. It could permit unauthenticated remote attackers to achieve unauthorized access to vulnerable instances. BeyondTrust has indicated that both of these critical vulnerabilities require a specific authentication configuration to be enabled for successful exploitation, though further details on this configuration were not provided.
In addition to the critical vulnerabilities, BeyondTrust has also addressed two high-severity security issues, tracked as CVE-2026-40140 and CVE-2026-40141. These flaws, if exploited, could lead to denial-of-service conditions or unauthorized access to restricted resources on unpatched RS and PRA instances.
BeyondTrust stated that the most severe vulnerabilities could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Other vulnerabilities may result in service disruption, unintended data access, and, under distinct configurations, elevated access for authenticated users, potentially impacting system integrity.
For cloud-based customers, BeyondTrust confirmed that a patch was applied to all RS/PRA cloud instances as of April 21, 2026. Customers hosting their own instances are advised to apply the April security rollup patch for the affected version if their systems are not configured for automatic updates. Alternatively, they should upgrade to RS version 25.3.3 or later, or PRA version 25.3.3 or later.
Internet security watchdog group Shadowserver is currently monitoring nearly 2,000 BeyondTrust RS and PRA instances accessible online. However, the exact number of these instances that are potentially vulnerable or have already been patched remains unclear, as some may be honeypots.
While BeyondTrust has not disclosed any instances of these specific vulnerabilities being actively exploited in attacks prior to the release of patches, the company's remote support software has been a target in the past. Notably, a critical pre-authentication remote code execution vulnerability in Remote Support and Privileged Remote Access appliances (CVE-2026-1731) was previously exploited to establish WebSocket channels and deploy ransomware.
Past security incidents involving BeyondTrust software have also been linked to sophisticated cyberespionage operations. For example, the U.S. Treasury Department reported a network breach attributed to the Chinese state-backed Silk Typhoon group, which is believed to have exploited two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust systems. This breach allowed the group to use a stolen API key to compromise multiple Remote Support SaaS instances, including those belonging to the Treasury, the Committee on Foreign Investment in the United States (CFIUS), and the Office of Foreign Assets Control (OFAC).





