HackMyIP
← Back to News
2026-07-07 The Hacker News

BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support, PRA

VulnerabilityAuthenticationAI Security

BeyondTrust has rolled out security updates to remediate four critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) appliances, two of which carry a CVSS score of 9.2 and could enable unauthenticated attackers to bypass authentication controls and seize control of affected systems. The flaws were identified internally through ongoing security assessments, with BeyondTrust leveraging Anthropic Claude Opus 4.8 alongside its proprietary research tooling to accelerate discovery.

The two most severe issues are pre-authentication vulnerabilities in the authentication subsystem. CVE-2026-40138 and CVE-2026-40139 both stem from improper validation and processing of authentication data, potentially allowing a network-positioned attacker to bypass access controls and access privileged accounts. Exploitation of these flaws depends on a specific authentication configuration being enabled. CVE-2026-40140 (CVSS 8.7) is a denial-of-service flaw caused by insufficient validation of client-supplied input in the network communication subsystem, while CVE-2026-40141 (CVSS 8.5) affects a web application component and could let a low-privileged authenticated user access resources beyond their authorization scope. Organizations running these appliances should verify exposure using tools like a port scanner and confirm credential hygiene with a password checker to reduce their attack surface during remediation.

Patches are available in Remote Support RS 25.3.3 and Privileged Remote Access PRA 25.3.3, and administrators are urged to upgrade immediately. BeyondTrust has not confirmed any in-the-wild exploitation of these specific CVEs, but the RS and PRA product lines have previously been targeted through flaws such as CVE-2024-12356 and CVE-2026-1731, making rapid patching a priority. The disclosure also signals a growing trend of vendors integrating AI-driven fuzzing and code analysis into their secure development lifecycles to surface authentication and input-validation defects before adversaries do.

Security teams should audit their BeyondTrust deployments, confirm firmware versions are at or above the fixed releases, and review authentication configurations to ensure they are not inadvertently exposed. Network defenders may also benefit from running a DNS leak test on management endpoints to validate that privileged appliance traffic is not leaking outside intended channels, particularly in environments where remote support infrastructure is exposed to the internet.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Password Checker →Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

Password security basics →Two-factor authentication explained →How to create a strong password →