Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux KVM Vulnerability (CVE-2024-4655) Exposes Host Kernel Memory
July 7, 2026
Critical Tenda Vulnerability Allows Remote Admin Access
July 7, 2026
Critical BeyondTrust Vulnerabilities Allow Access Control Bypass
July 7, 2026
Home/CyberSecurity News/Critical BeyondTrust Vulnerabilities Allow Access Control Bypass
CyberSecurity News

Critical BeyondTrust Vulnerabilities Allow Access Control Bypass

Key Takeaways BeyondTrust has disclosed multiple critical and high-severity vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) solutions. The most severe flaws,...

Marcus Rodriguez
Marcus Rodriguez
July 7, 2026 3 Min Read
3 0

Key Takeaways

  • BeyondTrust has disclosed multiple critical and high-severity vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) solutions.
  • The most severe flaws, CVE-2026-40138 and CVE-2026-40139, are pre-authentication issues that could allow unauthenticated attackers to bypass access controls, leading to unauthorized system access.
  • These vulnerabilities carry a maximum CVSS v4 score of 9.2, indicating a critical risk.
  • Cloud-hosted customers were automatically patched by April 21, 2026; self-hosted deployments require manual updates to version 25.3.3 or later.

BeyondTrust has issued a critical security advisory concerning several high-impact vulnerabilities within its Remote Support (RS) and Privileged Remote Access (PRA) products. These flaws, discovered internally, could enable attackers to circumvent existing access controls and gain unauthorized entry to sensitive systems.

Table Of Content

  • Key Takeaways
  • BeyondTrust Vulnerabilities
  • Additional High-Severity Flaws
  • What You Should Do

The issues are documented under Advisory ID BT26-03 and have been assigned a maximum CVSS v4 score of 9.2, underscoring the severe operational risk they pose to affected environments.

BeyondTrust’s Product Security team identified these vulnerabilities as part of its ongoing security research. The company further noted that these discoveries were augmented by advanced AI-driven vulnerability detection techniques, leveraging both proprietary and publicly available models.

BeyondTrust Vulnerabilities

This internal research was conducted independently and is not linked to any external projects. The most critical vulnerabilities identified are CVE-2026-40138 and CVE-2026-40139, both stemming from inadequate authentication mechanisms within the affected software.

These pre-authentication vulnerabilities could allow unauthenticated attackers to bypass security measures under specific configuration settings. Successful exploitation could grant unauthorized access to the appliance, potentially including accounts with elevated privileges, thereby significantly increasing the risk of a system compromise.

Specifically, CVE-2026-40138 impacts both Remote Support and Privileged Remote Access due to improper validation of authentication data. CVE-2026-40139, which exclusively affects Remote Support, is caused by faulty processing of authentication requests.

Exploitation of both critical flaws is contingent on particular authentication configurations being active. However, no user interaction is necessary for these attacks, making them particularly dangerous in environments accessible from external networks.

Additional High-Severity Flaws

In addition to the critical vulnerabilities, two high-severity issues were also identified. CVE-2026-40140 is a pre-authentication vulnerability located in the network communication subsystem. This flaw could allow attackers to trigger a denial-of-service condition, potentially disrupting service availability.

The second high-severity vulnerability, CVE-2026-40141, affects a web application component. It could permit authenticated users with limited privileges to access resources they are not authorized for, due to improper input validation.

BeyondTrust confirmed that all cloud-hosted customers received automatic patches by April 21, 2026. However, organizations utilizing self-hosted deployments must manually apply updates to mitigate the risk. The vulnerabilities impact Remote Support and PRA versions 25.3.2 and earlier.

What You Should Do

  • Apply the April 2026 security rollup patches immediately.
  • Upgrade to version 25.3.3 or later for both BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products.
  • Prioritize patching, especially for remote access tools exposed to external networks.
  • Verify that all updates have been successfully installed on self-hosted deployments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Windows Device ID Used to Apprehend Scattered Spider Cybercriminal

Next Post

Critical Tenda Vulnerability Allows Remote Admin Access

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us