BeyondTrust has issued a security advisory for a pair of critical authentication bypass vulnerabilities in its Remote Support and Privileged Remote Access products. The vulnerabilities, tracked as CVE-2026-40138 and CVE-2026-40139, could allow a remote, unauthenticated attacker to gain access to the core appliance, potentially leading to a full compromise of managed systems. These platforms are powerful tools used to manage privileged access across an enterprise, making them a prime target for threat actors, especially ransomware groups seeking to escalate privileges and move laterally. With an exploit probability rated at the 100th percentile, immediate action is required to prevent what experts consider an imminent threat.
The two critical vulnerabilities could allow an attacker to bypass authentication and gain control of the BeyondTrust appliance:
CVE-2026-40138: An improper authentication vulnerability that could allow an unprivileged attacker to gain access to the appliance. This suggests a flaw in the logic that verifies user permissions, potentially allowing for privilege escalation to an administrative level.
CVE-2026-40139: This flaw stems from the mishandling of remote support authentication requests. It could grant a completely unauthenticated remote attacker direct access to the appliance. This is the more severe of the two, as it requires no prior access or credentials.
Successful exploitation of either vulnerability would give an attacker a strategic foothold from which to control privileged sessions, steal credentials, and access any system managed by the BeyondTrust platform.
Product: BeyondTrust Remote Support
Affected Versions: 25.3.2 and earlier
Product: BeyondTrust Privileged Remote Access
Affected Versions: 25.3.2 and earlier
While there is no public confirmation of active exploitation in the wild at this time, the exploit probability has been rated at the 100th percentile by security experts. This indicates that the vulnerabilities are likely easy to exploit and a proof-of-concept exploit is expected to be developed and used by threat actors imminently. Organizations should treat this as an active threat.
A compromise of a BeyondTrust appliance is a worst-case scenario for many organizations:
Security teams should hunt for signs of compromise on their BeyondTrust appliances:
BeyondTrust Appliance Audit LogsAnomalous outbound connections from applianceUnexplained user accounts or configuration changes25.3.2 or earlier.Applying the vendor-provided patches is the most critical and effective way to remediate these vulnerabilities.
Mapped D3FEND Techniques:
Restricting network access to the appliance's management interface to a trusted network is a crucial compensating control.
Mapped D3FEND Techniques:
Given the critical nature of CVE-2026-40138 and CVE-2026-40139 and the high likelihood of imminent exploitation, the top priority for all BeyondTrust customers is to apply the security updates immediately. A Privileged Access Management (PAM) system is a 'keys to the kingdom' asset, and its compromise can lead to a full network takeover. Organizations must activate their emergency patching procedures, bypassing standard change control windows if necessary, to deploy these updates to all Remote Support and Privileged Remote Access appliances. After patching, administrators should verify the update was successful and review audit logs for any suspicious activity preceding the patch.
For organizations unable to apply the patches immediately, the only viable mitigation is Network Isolation. The management interfaces of the BeyondTrust appliances must be firewalled off from all untrusted networks, including the general corporate LAN and especially the internet. Access should be restricted to a small, dedicated set of IP addresses belonging to a secure management VLAN or specific administrator workstations. This network-level control prevents a remote attacker from ever reaching the vulnerable interface, effectively blocking the attack vector for CVE-2026-40139. This should be treated as a temporary, emergency measure until patching can be completed.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.