Skip to content

BeyondTrust RS / PRA CVE-2026-40138 and CVE-2026-40139 authentication bypass

Summary

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) received July 2026 fixes for a cluster of pre-authentication appliance vulnerabilities, including two critical authentication-bypass flaws: CVE-2026-40138 and CVE-2026-40139. Public reporting says successful exploitation can let an unauthenticated or network-positioned attacker bypass appliance access controls and reach accounts with elevated privileges under specific authentication configurations.

The durable defender value is the appliance class and historical context. RS/PRA flaws have been repeatedly exploited in prior campaigns to deploy web shells and backdoors, so externally reachable RS/PRA appliances should be treated as high-priority patch and exposure-reduction targets even though BeyondTrust did not report in-the-wild exploitation for this July 2026 set.

Tags

Vulnerability cluster

CVE Product exposure Publicly described impact
CVE-2026-40138 BeyondTrust RS and PRA Pre-authentication authentication-subsystem flaw from improper validation of authentication data; network-positioned attacker may bypass access controls and gain unauthorized appliance access, including elevated accounts.
CVE-2026-40139 BeyondTrust RS Pre-authentication authentication-subsystem flaw from improper processing of authentication requests; unauthenticated remote attacker may bypass access controls and gain unauthorized appliance access, including elevated accounts.
CVE-2026-40140 BeyondTrust appliance network communication subsystem Pre-authentication insufficient input validation; unauthenticated remote attacker may trigger denial of service and affect appliance availability.
CVE-2026-40141 BeyondTrust RS and PRA web application component Authenticated limited-privilege attacker may access unintended resources or data beyond authorization scope.

Public reporting notes that exploitation of the two critical auth-bypass flaws depends on a specific authentication configuration being enabled; exploitation of CVE-2026-40141 is limited to accounts with specific permissions.

Affected and fixed versions

Reported fixed versions:

  • BeyondTrust Remote Support RS 25.3.2 and earlier are fixed in RS 25.3.3 and later.
  • BeyondTrust Privileged Remote Access PRA 25.3.2 and earlier are fixed in PRA 25.3.3 and later.

Why defenders should care

  • RS/PRA appliances sit in a high-trust remote-access path and often bridge support operators into internal systems.
  • Prior BeyondTrust RS/PRA vulnerabilities, including CVE-2024-12356 and CVE-2026-1731, were publicly reported as exploited to deploy web shells and backdoors.
  • Authentication-bypass fixes should be prioritized even without confirmed exploitation because exposed remote-support appliances are attractive initial-access and persistence targets.
  • Configuration-dependent exposure is easy to miss during asset triage; defenders should inventory authentication modes rather than relying only on product/version checks.

Defender notes

  • Patch RS and PRA appliances to 25.3.3 or later.
  • Reduce internet exposure for administrative and remote-support portals; require VPN, allow-listed source ranges, or equivalent access controls where operationally feasible.
  • Review enabled authentication configurations against the vendor advisory, especially deployments using non-default or externally federated authentication flows.
  • Audit appliance accounts, elevated roles, support sessions, generated jump items, API tokens, integrations, and recent configuration changes.
  • Preserve and review appliance logs before rebooting or rebuilding if compromise is suspected.
  • Hunt for unexpected web-shell-like files, new local/admin accounts, unusual outbound callbacks, suspicious session launches, and support-console activity outside normal support windows.

Sources

  • BeyondTrust security advisory BT26-03: https://www.beyondtrust.com/trust-center/security-advisories/bt26-03
  • The Hacker News: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html