BeyondTrust Urges Immediate Patching for Critical Authentication Bypass Flaws (CVE-2026-40138, CVE-2026-40139)

BeyondTrust Patches Critical Flaws in Remote Support and Privileged Access Tools

CRITICAL
July 8, 2026
4m read
VulnerabilityPatch ManagementSecurity Operations

Related Entities

Organizations

Products & Tech

BeyondTrust Remote SupportBeyondTrust Privileged Remote Access

CVE Identifiers

CVE-2026-40138
CRITICAL
CVE-2026-40139
CRITICAL

Full Report

Executive Summary

BeyondTrust has issued a security advisory for a pair of critical authentication bypass vulnerabilities in its Remote Support and Privileged Remote Access products. The vulnerabilities, tracked as CVE-2026-40138 and CVE-2026-40139, could allow a remote, unauthenticated attacker to gain access to the core appliance, potentially leading to a full compromise of managed systems. These platforms are powerful tools used to manage privileged access across an enterprise, making them a prime target for threat actors, especially ransomware groups seeking to escalate privileges and move laterally. With an exploit probability rated at the 100th percentile, immediate action is required to prevent what experts consider an imminent threat.


Vulnerability Details

The two critical vulnerabilities could allow an attacker to bypass authentication and gain control of the BeyondTrust appliance:

  • CVE-2026-40138: An improper authentication vulnerability that could allow an unprivileged attacker to gain access to the appliance. This suggests a flaw in the logic that verifies user permissions, potentially allowing for privilege escalation to an administrative level.

  • CVE-2026-40139: This flaw stems from the mishandling of remote support authentication requests. It could grant a completely unauthenticated remote attacker direct access to the appliance. This is the more severe of the two, as it requires no prior access or credentials.

Successful exploitation of either vulnerability would give an attacker a strategic foothold from which to control privileged sessions, steal credentials, and access any system managed by the BeyondTrust platform.

Affected Systems

  • Product: BeyondTrust Remote Support

  • Affected Versions: 25.3.2 and earlier

  • Product: BeyondTrust Privileged Remote Access

  • Affected Versions: 25.3.2 and earlier

Exploitation Status

While there is no public confirmation of active exploitation in the wild at this time, the exploit probability has been rated at the 100th percentile by security experts. This indicates that the vulnerabilities are likely easy to exploit and a proof-of-concept exploit is expected to be developed and used by threat actors imminently. Organizations should treat this as an active threat.

Impact Assessment

A compromise of a BeyondTrust appliance is a worst-case scenario for many organizations:

  • Complete Infrastructure Compromise: Attackers gaining control of a Privileged Access Management (PAM) solution can access every critical server, database, and network device managed by it.
  • Ransomware Deployment: Ransomware groups frequently target remote access and PAM tools to deploy their payloads across an entire network simultaneously.
  • Data Exfiltration: Attackers can steal credentials for all managed systems and use them to exfiltrate vast amounts of sensitive data.
  • Loss of Control: The very tool used to secure and manage the environment becomes the primary weapon used against it.

Cyber Observables — Hunting Hints

Security teams should hunt for signs of compromise on their BeyondTrust appliances:

Type
log_source
Value
BeyondTrust Appliance Audit Logs
Description
Look for any successful administrative logins from unknown or suspicious IP addresses.
Type
network_traffic_pattern
Value
Anomalous outbound connections from appliance
Description
The BeyondTrust appliance should generally only communicate with known endpoints. Any new, unexpected outbound connections could indicate a C2 channel.
Type
other
Value
Unexplained user accounts or configuration changes
Description
Audit the appliance configuration for any new user accounts, modified permissions, or changes to security settings that were not made by authorized administrators.

Detection Methods

  1. Version Checking: The most straightforward detection method is to check the version number of all BeyondTrust appliances in the environment to see if they are 25.3.2 or earlier.
  2. Log Analysis: Ingest appliance logs into a SIEM. Create alerts for any successful login that bypasses expected authentication steps or originates from an untrusted network, if such data is available in the logs.
  3. Network Monitoring: Monitor all network traffic to and from the BeyondTrust appliances. Any connections on non-standard ports or to suspicious external IPs should be investigated immediately.

Remediation Steps

  1. Patch Immediately (D3-SU: Software Update): The primary and most urgent recommendation is to apply the patches released by BeyondTrust. This is the only way to fully remediate the vulnerabilities. Reference MITRE M1051 - Update Software.
  2. Mitigation - Restrict Access: For organizations that cannot patch immediately, BeyondTrust recommends a critical compensating control: restrict all network access to the appliance's management interface to a trusted, internal network segment. This means blocking all access from the internet and other untrusted parts of the corporate network until the patch can be deployed. Reference MITRE M1035 - Limit Access to Resource Over Network.
  3. Review Logs: After patching, review all authentication and session logs on the appliance for any signs of suspicious activity that may have occurred before the patch was applied.

Timeline of Events

1
July 8, 2026
This article was published

MITRE ATT&CK Mitigations

Applying the vendor-provided patches is the most critical and effective way to remediate these vulnerabilities.

Mapped D3FEND Techniques:

Restricting network access to the appliance's management interface to a trusted network is a crucial compensating control.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Regularly audit appliance logs for any signs of unauthorized access or configuration changes.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

Given the critical nature of CVE-2026-40138 and CVE-2026-40139 and the high likelihood of imminent exploitation, the top priority for all BeyondTrust customers is to apply the security updates immediately. A Privileged Access Management (PAM) system is a 'keys to the kingdom' asset, and its compromise can lead to a full network takeover. Organizations must activate their emergency patching procedures, bypassing standard change control windows if necessary, to deploy these updates to all Remote Support and Privileged Remote Access appliances. After patching, administrators should verify the update was successful and review audit logs for any suspicious activity preceding the patch.

For organizations unable to apply the patches immediately, the only viable mitigation is Network Isolation. The management interfaces of the BeyondTrust appliances must be firewalled off from all untrusted networks, including the general corporate LAN and especially the internet. Access should be restricted to a small, dedicated set of IP addresses belonging to a secure management VLAN or specific administrator workstations. This network-level control prevents a remote attacker from ever reaching the vulnerable interface, effectively blocking the attack vector for CVE-2026-40139. This should be treated as a temporary, emergency measure until patching can be completed.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

BeyondTrustVulnerabilityAuthentication BypassCVE-2026-40138CVE-2026-40139PAMPatch Management

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.