
BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication.
The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges.
The second one (CVE-2026-40139) patched this week stems from improper processing of BeyondTrust RS authentication requests, enabling unauthenticated remote attackers to gain unauthorized access to vulnerable instances.
In both cases, BeyondTrust noted that exploitation also requires a specific authentication configuration to be enabled, but it didn't share further details.
BeyondTrust has also released security updates for two high-severity security issues (CVE-2026-40140 and CVE-2026-40141) that can be exploited to trigger denial-of-service or access restricted resources on unpatched RS and PRA instances.
"The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Additional vulnerabilities may allow service disruption, unintended data access, and under distinct configurations, elevated access by an authenticated user that may impact system integrity," BeyondTrust said.
"A patch has been applied to all RS/PRA cloud customers as of April 21, 2026. Self-hosted customers should apply the April security rollup patch for the affected version if their instance is not subscribed to automatic updates or upgrade to RS 25.3.3 & above or PRA 25.3.3 & above."
BeyondTrust flaws exploited in attacks
While BeyondTrust didn't share any information about these flaws being abused in attacks before the patch, other security flaws affecting the company's remote support software have been exploited in the wild in recent years.
Most recently, a critical pre-authentication remote code execution vulnerability affecting Remote Support and Privileged Remote Access appliances (CVE-2026-1731) was exploited to establish WebSocket channels and to deploy ransomware on vulnerable systems.
Other BeyondTrust flaws have been weaponized to compromise the systems of U.S. government agencies. For instance, two years ago, the U.S. Treasury Department revealed that its network had been hacked in an incident linked to the notorious Chinese state-backed Silk Typhoon cyberespionage group.
Silk Typhoon is believed to have exploited two zero-days (CVE-2024-12356 and CVE-2024-12686) to breach BeyondTrust's systems and use a stolen API key to compromise 17 Remote Support SaaS instances, including the Treasury's instance.
The Chinese hacking group also targeted the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks, and the Office of Foreign Assets Control (OFAC), which administers U.S. sanctions programs.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper