Several critical vulnerabilities have been identified in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) solutions, posing significant risks of unauthorized access to critical systems. These vulnerabilities, disclosed by BeyondTrust, allow attackers to bypass access controls, potentially compromising sensitive data.
High-Severity Risks Identified
These issues are cataloged under Advisory ID BT26-03 and have a maximum CVSS v4 score of 9.2, indicating high severity. The vulnerabilities were discovered by BeyondTrust’s Product Security team during routine security assessments, leveraging both AI-driven and proprietary vulnerability discovery tools.
Details of the Vulnerabilities
The primary vulnerabilities, CVE-2026-40138 and CVE-2026-40139, originate from inadequate authentication processes within the affected products. These flaws could permit attackers to bypass access controls without authentication under certain configurations. Specifically, CVE-2026-40138 affects both RS and PRA, while CVE-2026-40139 is limited to RS, both arising from improper authentication data handling.
Additionally, two high-severity vulnerabilities were identified: CVE-2026-40140, a pre-authentication flaw in network communications, and CVE-2026-40141, affecting a web application component, which could lead to unintended resource access.
Mitigation and Security Measures
BeyondTrust has confirmed that as of April 21, 2026, cloud-hosted clients received automatic patches. However, self-hosted deployments must manually apply updates to mitigate risks. Versions 25.3.2 and earlier are vulnerable, and it is recommended to update to version 25.3.3 or later to address these vulnerabilities.
Security teams must prioritize patching, especially in environments where remote access tools are exposed to external networks. Given the potential for privilege escalation and unauthenticated exploitation, these vulnerabilities could be exploited in targeted attacks or broader campaigns if not addressed promptly.
Organizations are urged to apply the April 2026 security rollup patches to safeguard their systems. Prompt action will help in maintaining robust security postures and protecting against potential breaches.
