BeyondTrust CVE-2026-40138 Auth Bypass Left Self-Hosted Users Exposed

BeyondTrust patched a CVSS 9.2 auth bypass in Remote Support and PRA for SaaS users months ago but withheld notice from self-hosted operators until July 7.
Table of Contents
    Add a header to begin generating the table of contents

    BeyondTrust disclosed a critical pre-authentication vulnerability on July 7 affecting its Remote Support and Privileged Remote Access products — platforms used by enterprises and managed service providers to govern privileged session access across entire infrastructure environments. The company had already deployed a fix to all SaaS-hosted customers months earlier without any public announcement, leaving organizations running on-premises appliances unaware that their deployments were vulnerable.

    CVE-2026-40138: Pre-Auth Bypass in BeyondTrust’s Authentication Subsystem

    CVE-2026-40138 carries a CVSS score of 9.2. The flaw is rooted in improper validation of authentication data within BeyondTrust’s authentication subsystem. An attacker with network access to the appliance who encounters a specific authentication configuration can bypass access controls without valid credentials, gaining unauthorized access including to accounts with elevated privileges. No user interaction is required to complete the attack.

    The vulnerability affects Remote Support versions 25.3.2 and earlier and Privileged Remote Access versions 25.3.2 and earlier. BeyondTrust deployed a silent fix — RS 25.3.3 and PRA 25.3.3 — to all SaaS-hosted customers on April 21, 2026. Organizations running self-hosted BeyondTrust appliances received no notification until the July 7 advisory made the vulnerability public for the first time.

    BeyondTrust’s advisory specifies that exploitation depends on a particular authentication configuration being active on the target appliance. The advisory does not identify exactly which configuration setting triggers the vulnerable path, making configuration-based risk assessments unreliable. Organizations should apply the patch regardless of their current settings.

    How the Silent SaaS Patch Left On-Premises Operators Without Warning

    The disclosure gap is significant: SaaS customers were protected approximately two and a half months before self-hosted operators learned a flaw existed. Any enterprise or managed service provider running an on-premises BeyondTrust Remote Support or PRA appliance without automatic update processes has been operating vulnerable software since the original vulnerability window opened — with no vendor notification that a patch was already available.

    This silent patching approach for SaaS, followed by delayed disclosure to self-hosted customers, mirrors a pattern that has drawn criticism from security practitioners in prior BeyondTrust incidents. Self-hosted operators argue that they carry the same exposure risk as cloud customers and that silent patching without concurrent disclosure leaves them unable to make informed security decisions for their environments.

    Why a Compromised BeyondTrust Appliance Enables Network-Wide Access

    BeyondTrust Remote Support and Privileged Remote Access are not standard enterprise applications. They are the control planes through which security teams establish privileged sessions to critical infrastructure, managing access to servers, endpoints, and network devices across entire organizations.

    An attacker who gains unauthorized access to a BeyondTrust appliance via CVE-2026-40138 does not obtain a single-system foothold. They gain access to the BeyondTrust platform itself, from which they can potentially initiate privileged sessions to any system the platform manages. The scope of lateral movement potential scales directly with the breadth of the BeyondTrust deployment in the affected environment.

    Security teams should note that CVE-2026-40138 is a separate and new flaw — it is not related to CVE-2026-1731, a distinct BeyondTrust vulnerability carrying a CVSS 9.9 rating that was disclosed in February 2026. The two vulnerabilities affect the same product line but differ in mechanism and patch requirements.

    Patch Requirements and Incident Response Guidance for RS and PRA Operators

    BeyondTrust’s advisory directs all self-hosted customers to apply the April security rollup immediately. The required versions are Remote Support 25.3.3 or later and Privileged Remote Access 25.3.3 or later. Both were available since April 21, 2026.

    Operators should review BeyondTrust RS and PRA authentication configuration settings to assess whether the specific condition enabling exploitation is currently active on their appliances. Access and session logs covering the period from the original vulnerability window through the date of patch application should be audited for unauthorized sessions, unexpected authenticated accounts, or session activity originating from unrecognized source addresses.

    Given the privileged access management function these platforms serve, any confirmed unauthorized access should be treated as a potential enterprise-wide incident. Attackers who gained access via CVE-2026-40138 may have used the BeyondTrust platform to establish persistence on downstream managed systems without any additional exploitation steps required.

    Related Posts