What to Do About the BeyondTrust Remote Access Bug

by Rebecca Sutton

Does your helpdesk use BeyondTrust Remote Support or Privileged Remote Access? Then there is a patch you need this week. BeyondTrust has disclosed a privileged remote access vulnerability that lets an attacker skip the login screen entirely on unpatched appliances. Three related flaws came out alongside it. Here is what actually matters and what to do about it.

What was found

BeyondTrust’s advisory, BT26-03, lists four issues in Remote Support and PRA versions 25.3.2 and earlier. Two of them, CVE-2026-40138 and CVE-2026-40139, are pre-authentication bypasses. Both score 9.2 out of 10 on BeyondTrust’s own CVSS 4.0 scale. Neither requires a username, a password or any prior access. An attacker who can reach the appliance over the network can walk straight past the login. In some configurations they can land on an account with elevated privileges.

A third flaw, CVE-2026-40140, can be used to crash the appliance through malformed network traffic. The fourth, CVE-2026-40141, lets someone who already has a low-privilege account reach data they should not be able to touch. All four are fixed in version 25.3.3.

Understanding this privileged remote access vulnerability

The two most severe flaws share a common thread: they need no credentials at all. That matters because it removes the usual first line of defence. Password policies, multi-factor authentication and account lockouts do nothing here. They cannot stop a bug that bypasses the login screen itself. Until you patch, the only real protection is limiting who can reach the appliance over the network at all.

Who needs to act on this privileged remote access vulnerability

If you use the cloud-hosted version of Remote Support or PRA, there is good news. BeyondTrust says the fix already shipped to your instance in April, well before this week’s public advisory. Still, confirm this with your account team. Do not just assume it happened silently in the background.

If you run a self-hosted appliance, the update does not apply itself. Check your current version against 25.3.3. If you are behind, schedule the upgrade as a priority patch rather than folding it into the next routine maintenance window. Two of the four flaws need no credentials at all, so “we’ll get to it next month” is not a safe answer here.

Why this particular vendor deserves extra attention

This is not BeyondTrust’s first serious incident. In December 2024, the Chinese state-backed group Silk Typhoon breached BeyondTrust’s own systems using a pair of zero-day flaws. They stole an API key and used it to reach seventeen customer Remote Support instances. One of those belonged to the US Treasury Department. Then, in February 2026, a separate bug in the same product line, CVE-2026-1731, was added to CISA’s Known Exploited Vulnerabilities list. Attackers had started using it against real targets.

This is the third major security event tied to this product family in under eighteen months. That pattern alone justifies treating any new BeyondTrust advisory as urgent rather than routine.

A short checklist for this privileged remote access vulnerability

Confirm your Remote Support and PRA version now, not at the next patch cycle. Anything at 25.3.2 or below needs the update.

Check whether your appliance is exposed directly to the internet. If it does not need to be, put it behind a VPN or restrict access to known IP ranges instead.

Review recent authentication logs on the appliance for anything unusual, particularly successful logins from unfamiliar locations or at odd hours. A bypass of this kind can look like normal admin activity to anyone not specifically looking for it.

Ask your supplier, whether that is BeyondTrust or another remote access vendor, how they test these products before release. Also ask how quickly a cloud fix reaches self-hosted customers. The months-long gap between the April cloud patch and this week’s public disclosure is worth questioning directly.

What about the two lower-severity flaws?

It is tempting to focus only on the two 9.2-rated bugs and treat the other pair as an afterthought. Resist that urge. CVE-2026-40140, the denial-of-service flaw, can take your remote support capability offline. That is the last thing you want during an active incident elsewhere on the network. CVE-2026-40141 matters for a different reason. It shows that even a low-privilege helpdesk account can become a route to data it was never meant to see. That includes accounts handed to a junior technician or a contractor. All four issues get fixed by the same upgrade, so there is no reason to patch selectively.

The bigger point

This privileged remote access vulnerability is a reminder of what these tools are for. Remote support and privileged access tools are built to grant deep, trusted control over your systems. That is precisely why they are such an attractive target. A vulnerability here carries more weight than an equivalent bug in a less privileged application. Patching promptly matters, but so does limiting what these tools can reach and watching how they are used. The next flaw in this category will not announce itself in advance either.

Subscribe to our newsletter

Honest updates, straight to your inbox. Unsubscribe any time.

You may also like