BeyondTrust RS / PRA CVE-2026-40138 and CVE-2026-40139 authentication bypass
Summary
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) received July 2026 fixes for a cluster of pre-authentication appliance vulnerabilities, including two critical authentication-bypass flaws: CVE-2026-40138 and CVE-2026-40139. Public reporting says successful exploitation can let an unauthenticated or network-positioned attacker bypass appliance access controls and reach accounts with elevated privileges under specific authentication configurations.
The durable defender value is the appliance class and historical context. RS/PRA flaws have been repeatedly exploited in prior campaigns to deploy web shells and backdoors, so externally reachable RS/PRA appliances should be treated as high-priority patch and exposure-reduction targets even though BeyondTrust did not report in-the-wild exploitation for this July 2026 set.
Tags
- ops
- vulnerability
- authentication bypass
- BeyondTrust
- Remote Support
- Privileged Remote Access
- PRA
- remote support
- edge appliance
- CVE-2026-40138
- CVE-2026-40139
- CVE-2026-40140
- CVE-2026-40141
- RMM
Vulnerability cluster
| CVE | Product exposure | Publicly described impact |
|---|---|---|
CVE-2026-40138 |
BeyondTrust RS and PRA | Pre-authentication authentication-subsystem flaw from improper validation of authentication data; network-positioned attacker may bypass access controls and gain unauthorized appliance access, including elevated accounts. |
CVE-2026-40139 |
BeyondTrust RS | Pre-authentication authentication-subsystem flaw from improper processing of authentication requests; unauthenticated remote attacker may bypass access controls and gain unauthorized appliance access, including elevated accounts. |
CVE-2026-40140 |
BeyondTrust appliance network communication subsystem | Pre-authentication insufficient input validation; unauthenticated remote attacker may trigger denial of service and affect appliance availability. |
CVE-2026-40141 |
BeyondTrust RS and PRA web application component | Authenticated limited-privilege attacker may access unintended resources or data beyond authorization scope. |
Public reporting notes that exploitation of the two critical auth-bypass flaws depends on a specific authentication configuration being enabled; exploitation of CVE-2026-40141 is limited to accounts with specific permissions.
Affected and fixed versions
Reported fixed versions:
- BeyondTrust Remote Support RS 25.3.2 and earlier are fixed in RS 25.3.3 and later.
- BeyondTrust Privileged Remote Access PRA 25.3.2 and earlier are fixed in PRA 25.3.3 and later.
Why defenders should care
- RS/PRA appliances sit in a high-trust remote-access path and often bridge support operators into internal systems.
- Prior BeyondTrust RS/PRA vulnerabilities, including
CVE-2024-12356andCVE-2026-1731, were publicly reported as exploited to deploy web shells and backdoors. - Authentication-bypass fixes should be prioritized even without confirmed exploitation because exposed remote-support appliances are attractive initial-access and persistence targets.
- Configuration-dependent exposure is easy to miss during asset triage; defenders should inventory authentication modes rather than relying only on product/version checks.
Defender notes
- Patch RS and PRA appliances to 25.3.3 or later.
- Reduce internet exposure for administrative and remote-support portals; require VPN, allow-listed source ranges, or equivalent access controls where operationally feasible.
- Review enabled authentication configurations against the vendor advisory, especially deployments using non-default or externally federated authentication flows.
- Audit appliance accounts, elevated roles, support sessions, generated jump items, API tokens, integrations, and recent configuration changes.
- Preserve and review appliance logs before rebooting or rebuilding if compromise is suspected.
- Hunt for unexpected web-shell-like files, new local/admin accounts, unusual outbound callbacks, suspicious session launches, and support-console activity outside normal support windows.
Related pages
- SimpleHelp CVE-2026-48558 authentication-bypass exploitation
- ConnectWise ScreenConnect exploitation wave
Sources
- BeyondTrust security advisory BT26-03: https://www.beyondtrust.com/trust-center/security-advisories/bt26-03
- The Hacker News: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html