BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication.
The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges.
The second one (CVE-2026-40139) patched this week stems from improper processing of BeyondTrust RS authentication requests, enabling unauthenticated remote attackers to gain unauthorized access to vulnerable instances.
In both cases, BeyondTrust noted that exploitation also requires a specific authentication configuration to be enabled, but it didn't share further details.
BeyondTrust has also released security updates for two high-severity security issues (CVE-2026-40140 and CVE-2026-40141) that can be exploited to trigger denial-of-service or access restricted resources on unpatched RS and PRA instances.
"The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Additional vulnerabilities may allow service disruption, unintended data access, and under distinct configurations, elevated access by an authenticated user that may impact system integrity," BeyondTrust said.
"A patch has been applied to all RS/PRA cloud customers as of April 21, 2026. Self-hosted customers should apply the April security rollup patch for the affected version if their instance is not subscribed to automatic updates or upgrade to RS 25.3.3 & above or PRA 25.3.3 & above."
Internet security watchdog group Shadowserver now tracks nearly 2,000 BeyondTrust RS and PRA instances exposed online, but there are no details on how many are honeypots or have already been patched against these flaws.
BeyondTrust RS and PRA instances exposed online (Shadowserver)
BeyondTrust flaws exploited in attacks
... continue reading