On July 7, 2026, BeyondTrust published advisory BT26-03, disclosing four vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products. The two most serious — CVE-2026-40138 and CVE-2026-40139, both CVSS 9.2 — are pre-authentication flaws in the appliance's authentication subsystem. Under a specific authentication configuration, a network-positioned attacker can bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges, with no valid credentials.
BeyondTrust says it found the flaws internally and has no evidence of in-the-wild exploitation. That caveat is thin comfort: RS and PRA appliances have a well-documented history of being weaponized once details are public — CVE-2026-1731 was exploited earlier this year to deploy web shells and ransomware, and a 2024 pair of zero-days was used by a Chinese state actor to breach the U.S. Treasury. If you self-host RS or PRA, this is a patch-now item.
What the Vulnerability Is
BeyondTrust Remote Support and Privileged Remote Access are network-facing appliances used to broker remote sessions into internal systems. Because they sit at the perimeter and grant privileged access by design, their authentication layer is the crown jewel — and that is exactly where these bugs live.
The advisory (BT26-03) lists four issues:
- CVE-2026-40138 (CVSS 9.2) — A pre-authentication flaw in the authentication subsystem of both RS and PRA, caused by improper validation of authentication data. A network-positioned attacker can bypass access controls and reach the appliance, including elevated-privilege accounts.
- CVE-2026-40139 (CVSS 9.2) — A pre-authentication flaw in Remote Support, caused by improper processing of authentication requests. An unauthenticated remote attacker can bypass access controls and gain unauthorized appliance access.
- CVE-2026-40140 (CVSS 8.7) — A pre-authentication flaw in the network communication subsystem, caused by insufficient validation of client-supplied input. An unauthenticated remote attacker can trigger a denial-of-service condition affecting appliance availability.
- CVE-2026-40141 (CVSS 8.5) — A flaw in a web application component of RS and PRA, caused by insufficient validation of user-supplied input. An authenticated attacker with limited privileges can access resources or data beyond their authorization scope (a broken-access-control / IDOR-style issue).
BeyondTrust notes that successful exploitation of the two critical bypasses (CVE-2026-40138 and CVE-2026-40139) hinges on a specific authentication configuration being enabled, and that CVE-2026-40141 is restricted to accounts with specific permissions. The vendor did not publish the technical specifics of the vulnerable configuration — likely to slow reverse-engineering — so treat any RS/PRA instance at a vulnerable version as exposed until patched.
One notable detail: BeyondTrust says it identified these issues during ongoing internal security assessments, aided by publicly available AI models (it named Anthropic's Claude Opus 4.8) alongside its own proprietary research tooling. Vendor-side AI-assisted discovery is becoming a recurring theme in 2026 advisories.
Why It Matters
- These appliances are privileged access gateways. RS and PRA exist to grant remote, often elevated, access into internal networks. An attacker who bypasses authentication doesn't just compromise one box — they inherit the appliance's reason for existing: a pathway into everything it manages.
- Pre-auth means no credentials, no phishing, no foothold required. For CVE-2026-40138 and CVE-2026-40139, a network-positioned attacker needs only reachability to the appliance and the vulnerable configuration. There is no login step to defeat.
- History says these get exploited. Earlier in 2026, CVE-2026-1731 (a pre-auth RCE in the same product line) was exploited in the wild to open WebSocket channels and deploy ransomware. In 2024, CVE-2024-12356 and CVE-2024-12686 were used by the Silk Typhoon group to breach BeyondTrust's own SaaS instances and pivot into the U.S. Treasury, CFIUS, and OFAC. Public disclosure of an RS/PRA auth flaw has repeatedly been a precursor to real attacks.
- The DoS bug (CVE-2026-40140) is its own problem. If your organization relies on RS/PRA for break-glass or vendor access, an unauthenticated attacker knocking the appliance offline can cut off legitimate administrators during exactly the moments you need them.
Am I Affected?
You are affected if you self-host either product at a vulnerable version:
- Remote Support (RS) 25.3.2 or lower
- Privileged Remote Access (PRA) 25.3.2 or lower
Cloud customers: BeyondTrust states that a patch was applied to all RS/PRA cloud customers as of April 21, 2026. If you are fully cloud-hosted and subscribed to automatic updates, you are already covered — but confirm your instance's update status rather than assuming.
Self-hosted customers are the primary at-risk population, especially any appliance whose management/session interface is reachable from the internet or from untrusted internal networks. The two critical bypasses additionally require a specific authentication configuration to be enabled; because BeyondTrust withheld the specifics, assume you qualify until you have patched.
What to Do About It: Step-by-Step
- Patch to a fixed version (primary remediation). Upgrade Remote Support to 25.3.3 or above and Privileged Remote Access to 25.3.3 or above. Alternatively, if you are not on auto-updates and cannot jump versions immediately, apply the April security rollup patch for your affected version as directed in BeyondTrust advisory BT26-03. Fixing to 25.3.3+ addresses all four CVEs in a single upgrade.
- Confirm cloud instances are actually patched. If you use RS/PRA cloud, verify in your BeyondTrust admin console that your instance is on a build dated after April 21, 2026 and that automatic updates are enabled. Don't assume — confirm.
- Restrict network exposure of the appliance. Ensure the RS/PRA management and session interfaces are not exposed to the open internet unless strictly required. Where public reachability is required, restrict administrative/management paths to known IP ranges or a VPN, and place the appliance behind a WAF or reverse proxy with rate limiting. Segment the appliance away from your most sensitive internal systems so a compromise doesn't immediately translate to domain-wide access.
- Review the specific authentication configuration. The two critical bypasses depend on a particular authentication configuration being enabled. Review your RS/PRA authentication settings and, if you don't strictly need non-default authentication options, disable what you aren't using. Contact BeyondTrust support if you need clarification on which configuration is implicated for your deployment.
- Hunt for signs of prior abuse. Review appliance and session logs for anomalies: unexpected administrative logins, new or modified accounts, unfamiliar remote sessions, and outbound connections (web shells / WebSocket channels were the payload in the CVE-2026-1731 campaign). If the appliance was internet-exposed at a vulnerable version, treat compromise as plausible and investigate accordingly.
- Rotate credentials and keys after patching if exposure is suspected. If you find evidence of unauthorized access — or if the appliance was internet-facing and unpatched for any meaningful window — rotate API keys, service credentials, and any secrets the appliance could reach.
Quick-Win Checklist
- Identified whether you self-host RS/PRA and at what version (≤ 25.3.2 = vulnerable).
- Patched RS and PRA to 25.3.3 or above (or applied the April security rollup for your version).
- Verified cloud instances are on a post-April-21-2026 build with auto-updates on.
- Confirmed the appliance's management/session interface is not needlessly internet-exposed.
- Reviewed the authentication configuration implicated in CVE-2026-40138 / CVE-2026-40139.
- Hunted logs for unexpected logins, new accounts, rogue sessions, and web-shell/WebSocket activity.
- Rotated credentials/keys if compromise is suspected.
- Read BeyondTrust advisory BT26-03 for deployment-specific guidance.