CVE: CVE-2026-40138, CVE-2026-40139 | CVSS 3.1: 9.2 (Critical) each | CWE: CWE-287 (Improper Authentication) | Vendor: BeyondTrust | Product: Remote Support (RS) and Privileged Remote Access (PRA) | Affected versions: Consult BeyondTrust advisory
What Is the Vulnerability
CVE-2026-40138: A pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data could allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges (CVSS 9.2). CVE-2026-40139: A pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support stemming from improper processing of authentication requests that could allow an unauthenticated remote attacker to bypass access controls (CVSS 9.2). Both are critical severity and allow attackers to gain unauthorized administrative access without valid credentials.
Versions Affected
- BeyondTrust Remote Support (RS) — affected versions per advisory
- BeyondTrust Privileged Remote Access (PRA) — affected versions per advisory
Exploited?
No confirmed exploitation in the wild at time of publication. BeyondTrust released patches proactively. However, given the severity (CVSS 9.2) and the nature of the products (remote access and PAM appliances that are typically internet-facing), exploitation attempts are expected once technical details circulate.
Fix
BeyondTrust has released security updates for both Remote Support and Privileged Remote Access.
- Primary fix: Apply BeyondTrust patches to all affected appliances immediately.
- Workaround: Restrict network access to BeyondTrust appliances to trusted IPs only until patching is complete.
Recommendations
- Patch immediately: BeyondTrust appliances manage privileged access — compromise of a PAM solution is a worst-case scenario.
- Rotate credentials: After patching, rotate all credentials stored in or managed by BeyondTrust.
- Audit access logs: Review for signs of unauthorised administrative access or configuration changes.
- Restrict network access: Ensure BeyondTrust appliances are not directly exposed to the internet unless necessary.
References
- The Hacker News: BeyondTrust Patches
- BeyondTrust Security Advisory (RS and PRA)
Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.
