BeyondTrust Warns of Critical Flaws in Remote Access Software
What happened
BeyondTrust warned customers to patch two critical vulnerabilities in its Remote Support and Privileged Remote Access products that could allow attackers to bypass authentication. The flaws affect RS and PRA versions 25.3.2 and earlier, with fixed releases available in version 25.3.3 and above.
The first flaw, tracked as CVE-2026-40138, is an improper authentication vulnerability in the authentication subsystem. Successful exploitation could allow an unauthenticated attacker to bypass access controls and access targeted appliances, including accounts with elevated privileges. The second flaw, CVE-2026-40139, involves improper processing of Remote Support authentication requests and can also allow unauthenticated remote access to vulnerable instances.
Both critical flaws require a specific authentication configuration to be enabled, though the company did not disclose the exact configuration details. BeyondTrust also fixed two high-severity issues, CVE-2026-40140 and CVE-2026-40141, which can cause denial-of-service, restricted resource access, or elevated access by an authenticated user under certain configurations.
Cloud customers were patched as of April 21, 2026. Self-hosted customers must apply the April security rollup patch if they are not subscribed to automatic updates or upgrade to RS 25.3.3 or PRA 25.3.3 and later. Nearly 2,000 BeyondTrust RS and PRA instances are currently tracked as exposed online, though it is unclear how many are honeypots or already patched.
Who is affected
Organizations using BeyondTrust Remote Support or Privileged Remote Access versions 25.3.2 and earlier are directly affected.
Self-hosted customers face the highest urgency if they are not subscribed to automatic updates or have not yet applied the April security rollup patch.
Organizations with internet-facing BeyondTrust RS or PRA appliances should treat the issue as a priority because remote access platforms often provide privileged pathways into internal systems, endpoints, and support workflows.
Why CISOs should care
Remote access platforms are high-value targets because they are built to provide administrative reach. If authentication can be bypassed, an attacker may gain access to sensitive support functions, privileged accounts, or internal systems through a trusted tool.
For CISOs, the exposed-instance count matters. Nearly 2,000 RS and PRA instances are visible online, giving attackers a reachable target pool to test once vulnerability details become known.
The history of exploitation against remote support products also raises the risk. Prior BeyondTrust flaws have been used in real-world attacks, including activity involving WebSocket channels, ransomware deployment, and compromises affecting government environments.
This is also a reminder that remote access software should not be treated as ordinary business software. These tools require strict exposure control, rapid patching, strong logging, and regular configuration review because compromise can quickly become enterprise-wide access.
3 practical actions
Patch or upgrade affected BeyondTrust deployments: Cloud customers have already received patches, but self-hosted customers should apply the April security rollup or upgrade to RS 25.3.3 or PRA 25.3.3 and above.
Review exposure of remote access appliances: Security teams should identify all internet-facing RS and PRA instances, restrict access where possible, and confirm that remote support portals are not unnecessarily exposed.
Audit authentication and access activity: Because the critical flaws involve authentication bypass and unauthorized access, defenders should review login activity, privileged account use, support sessions, configuration changes, and suspicious access attempts around BeyondTrust appliances.
More in cybersecurity:


