The Guard at the Gate Went to Sleep
Privileged access management exists to solve one problem: not everyone should be able to reach the crown-jewel systems, and the few who can should be watched closely. Tools like BeyondTrust Remote Support and Privileged Remote Access are the guard at that gate — they broker the connections your administrators and vendors use to reach sensitive machines. When that guard works, it is invisible. When it fails, the attacker does not need to pick a hundred locks; they only need to walk past the one guard that was supposed to stop them.
On July 7, 2026, BeyondTrust published advisory BT26-02, disclosing four vulnerabilities — two of them critical pre-authentication bypasses rated CVSS 9.2. This matters now because these are not obscure edge-case bugs in a rarely used feature. They sit in the authentication subsystem itself, the exact part of the product whose entire job is to decide who gets in. And remote-access appliances like these have been a favorite target of well-resourced attackers for well over a year.
What Actually Broke
Two flaws carry the critical rating, and both are pre-authentication — meaning an attacker needs no valid credentials to begin.
CVE-2026-40138 (CVSS 9.2) lives in the authentication subsystem of both Remote Support and Privileged Remote Access. It stems from improper validation of authentication data. A network-positioned attacker can abuse it to bypass access controls entirely and gain unauthorized access to the appliance — including accounts that carry elevated privileges.
CVE-2026-40139 (CVSS 9.2) affects Remote Support and comes from improper processing of authentication requests. An unauthenticated remote attacker can use it to bypass access controls and reach the appliance without ever proving who they are.
Two more issues round out the advisory: CVE-2026-40140 (CVSS 8.7), a denial-of-service flaw, and CVE-2026-40141 (CVSS 8.5), an input-validation weakness. Serious in their own right, but the authentication bypasses are the ones that will keep security teams awake.
Why a Bypass Here Is Worse Than Almost Anywhere Else
Most authentication bugs give an attacker a foothold. A bypass in a privileged-access product hands them the master key. These appliances are, by design, connected to the most sensitive systems in an organization — that is their purpose. Compromise the broker, and you inherit its reach: the very administrator sessions and vendor connections it was built to protect.
That is why remote-access and PAM appliances have been singled out by sophisticated, state-aligned attackers who have probed this class of tool for roughly eighteen months. They are not looking for one workstation. They are looking for the one box that quietly touches everything.
The Important Nuance: Not Every Deployment Is Exploitable
There is a meaningful catch. Successful exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled. If that configuration is not in use, the critical path is not open in the same way. This does not make the update optional — configurations drift, and a bug in the authentication subsystem is exactly the kind of thing you patch regardless — but it does mean the risk is not uniform across every installation. Knowing your own configuration is the difference between "urgent" and "already handled."
Step 1: Find Out If You Are Exposed
Identify which product and version you run, and whether the at-risk authentication configuration is enabled.
- Check your Remote Support (RS) and Privileged Remote Access (PRA) version against the fixed release below.
- Determine whether your instance is a cloud deployment or self-hosted — the remediation path differs.
- Review your authentication configuration to see whether the condition the critical CVEs depend on is present.
If you are self-hosted, on a pre-25.3.3 build, and running the at-risk configuration, treat this as an active incident-readiness item, not a routine update.
Step 2: Patch to the Fixed Release
All four vulnerabilities are fixed in Remote Support 25.3.3 and Privileged Remote Access 25.3.3, and in any later version. Upgrade to at least that release.
Fixed in: RS 25.3.3 (and above) · PRA 25.3.3 (and above)
If you are a cloud customer, BeyondTrust reports the fix was already applied across cloud instances as of April 21, 2026 — but confirm your instance is on a patched build rather than assuming it.
Step 3: If You Are Self-Hosted and Cannot Upgrade Yet
For self-hosted instances that are not on automatic updates and cannot jump to 25.3.3 immediately, apply the April security rollup patch for your affected version. This closes the flaws without a full version upgrade. Treat it as a bridge to the proper upgrade, not a permanent resting place — and, where feasible, review whether the specific authentication configuration the critical CVEs depend on truly needs to be enabled.
Conclusion
The uncomfortable lesson of BeyondTrust BT26-02 is that the tools we trust to enforce access are software too, and software written to guard the gate can still contain the mistake that opens it. The reassuring half is that the fix is available, the fixed version is clearly named, and cloud customers were remediated months ago. For everyone running self-hosted, the task is simple to state and worth doing without delay: identify your version and configuration, patch to 25.3.3 or apply the April rollup, and verify — because a privileged-access appliance is the last place you want to discover an unauthenticated stranger.
Merits
- The fix is available now. All four CVEs are resolved in a clearly identified release, so remediation is an upgrade, not a research project.
- Cloud customers were already covered. BeyondTrust applied the fix across cloud instances back in April 2026.
- A conditional attack surface. Because the critical flaws depend on a specific configuration, some deployments were never in the direct line of fire.
Demerits
- The flaw is in the authentication subsystem itself. There is no worse place for a pre-auth bypass than the component whose only job is authentication.
- Two critical bypasses at once. Both CVE-2026-40138 and CVE-2026-40139 are CVSS 9.2 and require no credentials to start.
- A long-targeted class of product. Remote-access appliances have been under sustained pressure from advanced attackers, so the window between disclosure and exploitation attempts is short.
Caution
Do not assume "cloud-patched in April" means you are safe if you run self-hosted — the two paths are separate, and a self-hosted appliance left on an old build is exactly the exposure this advisory describes. Equally, do not lean on "our configuration isn't affected" as a permanent answer; configurations change, staff change, and a critical bug in the authentication subsystem should be patched on principle. Verify the running version after upgrading — a rollup that was downloaded but not applied protects nothing.
Frequently asked questions
Do I need to do anything if I use BeyondTrust cloud? The fix was applied to cloud instances as of April 21, 2026. Confirm your instance is on a patched build, but you are not expected to patch it yourself.
How do I know if I am actually exploitable? The two critical CVEs depend on a specific authentication configuration being enabled. Review your configuration; if it is not in use, the critical path is not open the same way — but patch anyway.
Is this related to older BeyondTrust incidents? BeyondTrust's remote-access products have drawn repeated attention from sophisticated attackers over the past year and a half. Treat any critical flaw in this class of tool as high priority regardless of past events.
What is the fastest safe action? Upgrade self-hosted RS and PRA to 25.3.3 or later, or apply the April security rollup for your version, then verify the running build.
Tags
security, pam, vulnerability, beyondtrust, cve
Get new posts by email. No spam — unsubscribe anytime.


Responses
Sign in to leave a response.