BeyondTrust has issued an urgent advisory for customers running its Remote Support (RS) and Privileged Remote Access (PRA) platforms, disclosing two critical vulnerabilities that could allow unauthenticated attackers to bypass access controls and gain unauthorized access to affected appliances.
Critical Vulnerabilities
The first flaw, CVE-2026-40138 (CVSS score: 9.2), is rooted in an improper authentication weakness within the authentication subsystem. It affects RS and PRA versions 25.3.2 and earlier. Successful exploitation allows an unprivileged attacker to bypass access controls and reach accounts with elevated privileges. A specific authentication configuration must be enabled for the attack to succeed, though BeyondTrust has not disclosed further details about that requirement.
The second critical flaw, CVE-2026-40139, stems from improper processing of RS authentication requests. It similarly enables unauthenticated remote attackers to gain unauthorized access to vulnerable instances and also requires a particular authentication configuration to be active.
High-Severity Issues Also Addressed
Alongside the critical findings, BeyondTrust patched two high-severity vulnerabilities, CVE-2026-40140 and CVE-2026-40141, which can be exploited to trigger denial-of-service conditions or access restricted resources on unpatched RS and PRA instances.
Patch Status and Exposure
BeyondTrust confirmed that cloud-hosted RS and PRA customers received the patch automatically on April 21, 2026. Self-hosted customers are advised to apply the April security rollup patch or upgrade to RS 25.3.3 or PRA 25.3.3 and above if automatic updates are not enabled.
Internet monitoring organization Shadowserver is currently tracking nearly 2,000 BeyondTrust RS and PRA instances exposed to the internet, though it is unclear how many have already been patched or are honeypots.
History of Exploitation
BeyondTrust has not confirmed active exploitation of the newly disclosed flaws, but the company’s remote access products have a documented history of being targeted in significant attacks. A previous critical pre-authentication remote code execution vulnerability, CVE-2026-1731, was exploited to establish WebSocket channels and deploy ransomware on vulnerable systems.
In a high-profile earlier incident, the Chinese state-backed threat actor Silk Typhoon exploited two zero-days (CVE-2024-12356 and CVE-2024-12686) to breach BeyondTrust infrastructure and compromise 17 Remote Support SaaS instances. That campaign targeted the U.S. Treasury Department, the Committee on Foreign Investment in the United States (CFIUS), and the Office of Foreign Assets Control (OFAC).
Given the track record of BeyondTrust vulnerabilities being weaponized in both criminal and nation-state operations, security teams running self-hosted deployments should treat patching as a priority.
