CVE-2026-40138 and CVE-2026-40139: BeyondTrust Remote Support and PRA Critical Pre-Authentication Bypass (CVSS 9.2)

CVE-2026-40138 and CVE-2026-40139: BeyondTrust Remote Support and PRA Critical Pre-Authentication Bypass (CVSS 9.2)

CVE: CVE-2026-40138, CVE-2026-40139 | CVSS 3.1: 9.2 (Critical) each | CWE: CWE-287 (Improper Authentication) | Vendor: BeyondTrust | Product: Remote Support (RS) and Privileged Remote Access (PRA) | Affected versions: Consult BeyondTrust advisory


What Is the Vulnerability

CVE-2026-40138: A pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data could allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges (CVSS 9.2). CVE-2026-40139: A pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support stemming from improper processing of authentication requests that could allow an unauthenticated remote attacker to bypass access controls (CVSS 9.2). Both are critical severity and allow attackers to gain unauthorized administrative access without valid credentials.


Versions Affected

  • BeyondTrust Remote Support (RS) — affected versions per advisory
  • BeyondTrust Privileged Remote Access (PRA) — affected versions per advisory

Exploited?

No confirmed exploitation in the wild at time of publication. BeyondTrust released patches proactively. However, given the severity (CVSS 9.2) and the nature of the products (remote access and PAM appliances that are typically internet-facing), exploitation attempts are expected once technical details circulate.


Fix

BeyondTrust has released security updates for both Remote Support and Privileged Remote Access.

  • Primary fix: Apply BeyondTrust patches to all affected appliances immediately.
  • Workaround: Restrict network access to BeyondTrust appliances to trusted IPs only until patching is complete.

Recommendations

  • Patch immediately: BeyondTrust appliances manage privileged access — compromise of a PAM solution is a worst-case scenario.
  • Rotate credentials: After patching, rotate all credentials stored in or managed by BeyondTrust.
  • Audit access logs: Review for signs of unauthorised administrative access or configuration changes.
  • Restrict network access: Ensure BeyondTrust appliances are not directly exposed to the internet unless necessary.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!