SHIELD: ACTIVE // NETWORK SECURE

2026-07-08 - BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and Privileged Remote Access

Critical Patch: BeyondTrust Fixes Pre-Auth Authentication Bypass Flaws in Remote Access Software (CVE-2026-40138 & CVE-2026-40139)

Executive Summary

BeyondTrust, a global leader in privileged access management (PAM), has released critical security updates addressing two severe pre-authentication vulnerabilities in its flagship Remote Support (RS) and Privileged Remote Access (PRA) solutions. Tracked as CVE-2026-40138 and CVE-2026-40139 (each carrying a CVSS score of 9.2), the flaws reside within the appliances' authentication processing subsystems.

Exploitation allows unauthenticated, network-positioned attackers to bypass access controls entirely, granting unauthorized access to the administration console and enabling complete takeover of highly privileged technician sessions. Because remote access gateways are high-value targets, organizations utilizing unpatched versions are urged to deploy the updates immediately.

Technical Deep-Dive

BeyondTrust Remote Support and Privileged Remote Access are enterprise-class appliances deployed to facilitate secure, just-in-time remote desktop, technician assistance, and administrative access to high-trust network zones.

The vulnerabilities represent critical logical validation flaws categorized under CWE-287: Improper Authentication and CWE-302: Authentication Bypass by Assumed Relation.

Exploit Mechanics and Vulnerability Flows

1. The Authentication Subsystem: The flaws sit directly within BeyondTrust's authentication validation pipelines, which process inbound login requests and assertion payloads.

2. Improper Validation (CVE-2026-40138): Under certain configurations, the authentication subsystem fails to properly validate incoming assertion data. An attacker positioned on the network can forge authentication payloads, tricking the appliance into assuming a pre-authenticated relation.

3. Request Processing Flaw (CVE-2026-40139): This vulnerability involves improper parsing of multi-stage authentication requests. Attackers can leverage specific parameter configurations to bypass access checks and gain administrative rights without presenting valid credentials.

4. High Availability Risk (CVE-2026-40140): In addition to the bypass flaws, BeyondTrust patched a high-severity pre-authentication vulnerability (CVSS 8.7) in the network communication subsystem. Insufficient validation of client-supplied inputs allows unauthenticated remote attackers to trigger memory exhaustion and denial-of-service (DoS) conditions.

CVE Identifier

CVSS Score

Impact Severity

Remediation Status

CVE-2026-40138

9.2

Critical

Patched in RS 26.2.1 / PRA 25.3.3

CVE-2026-40139

9.2

Critical

Patched in RS 26.2.1 / PRA 25.3.3

CVE-2026-40140

8.7

High

Patched in RS 26.2.1 / PRA 25.3.3

Affected Versions: RS prior to 26.2.1 and PRA prior to 25.3.3.

Industry Impact and Threat Landscape

Privileged access gateways are one of the most critical perimeter defense lines for modern enterprises. These appliances hold administrative keys to active databases, active directory domains, and production servers.

A pre-authentication bypass on a remote gateway is a "keys to the kingdom" scenario. An attacker who successfully exploits CVE-2026-40138 can reach the BeyondTrust admin panel, create rogue technician profiles, hijack active administrative sessions, and laterally pivot into the enterprise internal network. Because the vulnerability requires zero prior credentials, automated botnets and ransomware syndicates are actively searching the public internet for exposed, unpatched BeyondTrust ports.

Recommendations and Mitigations

Organizations utilizing BeyondTrust remote assistance appliances must execute immediate emergency remediation:

* Deploy Emergency Patches: Immediately upgrade Remote Support (RS) deployments to version 26.2.1 or later, and Privileged Remote Access (PRA) gateways to version 25.3.3 or later.

* Review Configuration Settings: Note that both bypass flaws require specific authentication configurations to be enabled. Review BeyondTrust trust logs and ensure only highly secure SAML/OIDC federations are active.

* Restrict Network Exposure: Place BeyondTrust administration portals behind a virtual private network (VPN) or secure firewall, restricting public internet exposure to only essential client-facing endpoints.

* Audit Session Logs: Conduct a comprehensive forensic sweep of BeyondTrust event logs, specifically inspecting session creation records, newly generated technician profiles, and unauthenticated access requests matching the patched builds.

Category: Cyber Security Intelligence