BeyondTrust Patches Critical Vulnerabilities in Remote Access Tools

BeyondTrust has recently addressed multiple critical and high-severity vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) solutions. These flaws could potentially allow attackers to bypass access controls and gain unauthorized access to sensitive systems.

The vulnerabilities, identified as CVE-2026-40138 and CVE-2026-40139, stem from improper authentication mechanisms within the affected products. CVE-2026-40138 affects both RS and PRA, involving inadequate validation of authentication data. CVE-2026-40139 specifically impacts RS due to improper processing of authentication requests. Exploitation of these vulnerabilities could grant attackers unauthorized access to the appliance, including accounts with elevated privileges, without requiring user interaction.

Additionally, two high-severity vulnerabilities were identified. CVE-2026-40140 is a pre-authentication issue in the network communication subsystem that could allow attackers to trigger a denial-of-service condition, disrupting service availability. CVE-2026-40141 affects a web application component and could enable authenticated users with limited privileges to access unintended resources due to improper input validation.

BeyondTrust confirmed that cloud-hosted customers were automatically patched as of April 21, 2026. However, organizations using self-hosted deployments remain at risk if updates have not been applied. The vulnerabilities affect RS and PRA versions 25.3.2 and earlier. To mitigate the risk, customers are advised to apply the April 2026 security rollup patches or upgrade to version 25.3.3 or later for both RS and PRA.

These vulnerabilities underscore the critical importance of timely patch management, especially for remote access tools that are often targeted by attackers. Organizations should prioritize updating their systems to prevent potential exploitation and ensure the security of their remote access infrastructure.