BeyondTrust Warns of Critical Authentication Bypass Flaws in Remote Support Platforms
BeyondTrust has issued an urgent warning to customers, urging them to patch two critical security vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) software. These flaws could allow unauthenticated attackers to bypass authentication and gain unauthorized access to appliances, including those with elevated privileges. The company has also addressed two high-severity issues.

**BeyondTrust** has alerted its user base to patch two critical security flaws identified in its **Remote Support (RS)** and **Privileged Remote Access (PRA)** software. Successful exploitation of these vulnerabilities could enable attackers to bypass authentication mechanisms entirely.
### Critical Authentication Bypass Vulnerabilities
The first critical vulnerability, tracked as **CVE-2026-40138**, impacts **BeyondTrust RS** (versions 25.3.2 or earlier) and **PRA** (versions 25.3.2 or earlier). This flaw is rooted in an improper authentication weakness within the authentication subsystem. Attackers, without any prior privileges, could leverage this to bypass access controls and gain unauthorized access to targeted appliances, potentially including accounts with elevated privileges.
The second vulnerability, **CVE-2026-40139**, stems from improper processing of authentication requests in **BeyondTrust RS**. This allows unauthenticated remote attackers to gain unauthorized access to vulnerable instances.
**BeyondTrust** notes that exploiting both these critical flaws requires a specific authentication configuration to be enabled, though further details on these configurations were not disclosed.
### Additional High-Severity Issues Addressed
In addition to the critical flaws, **BeyondTrust** has released security updates for two high-severity issues, **CVE-2026-40140** and **CVE-2026-40141**. These vulnerabilities could be exploited to trigger denial-of-service conditions or access restricted resources on unpatched **RS** and **PRA** instances.
**BeyondTrust** stated, "The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Additional vulnerabilities may allow service disruption, unintended data access, and under distinct configurations, elevated access by an authenticated user that may impact system integrity."
### Patching and Exposure
For cloud customers, **BeyondTrust** confirmed that a patch was applied to all **RS/PRA** instances as of April 21, 2026. Self-hosted customers are advised to apply the April security rollup patch for their affected version if not subscribed to automatic updates, or to upgrade to **RS 25.3.3** & above or **PRA 25.3.3** & above.
Internet security watchdog group **Shadowserver** currently tracks nearly 2,000 **BeyondTrust RS** and **PRA** instances exposed online. It remains unclear how many of these are honeypots or have already been patched against these newly disclosed flaws.

*BeyondTrust RS and PRA instances exposed online (Shadowserver)*
### History of Exploitation
While **BeyondTrust** has not confirmed in-the-wild exploitation of these specific flaws prior to the patch, the company's remote support software has been a target for attackers in the past.
Recently, a critical pre-authentication remote code execution vulnerability, **CVE-2026-1731**, affecting **Remote Support** and **Privileged Remote Access** appliances, was exploited to establish WebSocket channels and deploy ransomware on vulnerable systems.
Furthermore, **BeyondTrust** flaws have been weaponized to compromise U.S. government agencies. Two years ago, the U.S. Treasury Department revealed a network breach linked to the notorious Chinese state-backed cyberespionage group, **Silk Typhoon**. This group is believed to have exploited two zero-days, **CVE-2024-12356** and **CVE-2024-12686**, to breach **BeyondTrust's** systems and use a stolen API key to compromise 17 **Remote Support SaaS** instances, including the Treasury's.
**Silk Typhoon** also targeted the **Committee on Foreign Investment in the United States (CFIUS)** and the **Office of Foreign Assets Control (OFAC)** during these campaigns.