BeyondTrust has released security updates to remediate four vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) solutions, including two Critical authentication bypass flaws that could allow attackers to gain unauthorized access to vulnerable appliances under specific deployment configurations. The products are commonly used by organizations to deliver remote technical support and manage privileged access to enterprise systems, making them attractive targets because they often provide administrative access to critical IT environments.
The most severe issues originate within the products' authentication mechanisms, which verify user identities before granting access. Because the vulnerabilities can be triggered before the authentication process is completed, successful exploitation may allow attackers to bypass an important security control without first supplying valid credentials.
One of the Critical vulnerabilities, tracked as CVE-2026-40138, carries a CVSS score of 9.2 and affects both BeyondTrust Remote Support and Privileged Remote Access. According to the advisory, the flaw stems from improper validation of authentication data within the authentication subsystem. Under specific authentication configurations, a network-positioned attacker could bypass access controls and obtain unauthorized access to the appliance, including accounts with elevated privileges.
BeyondTrust also addressed CVE-2026-40139, another Critical vulnerability assigned a CVSS score of 9.2 that impacts Remote Support. The issue results from improper processing of authentication requests and could enable an unauthenticated remote attacker to circumvent authentication controls and gain unauthorized access to affected appliances, including privileged accounts. Similar to CVE-2026-40138, exploitation depends on a particular authentication configuration being enabled, meaning the exposure varies according to how affected environments are deployed.
In addition to the authentication bypass flaws, the company disclosed CVE-2026-40140, a High-severity vulnerability with a CVSS score of 8.7 affecting the network communication subsystem. The issue arises from insufficient validation of client-supplied input and could allow an unauthenticated remote attacker to trigger a denial-of-service (DoS) condition, disrupting the availability of vulnerable appliances rather than providing direct access to them.
The fourth vulnerability, CVE-2026-40141, received a CVSS score of 8.5 and affects web application components within both Remote Support and Privileged Remote Access. Caused by inadequate validation of user-supplied input, the flaw could enable an authenticated user with limited privileges to access resources or information beyond their intended authorization. BeyondTrust noted that exploitation of this vulnerability is limited to accounts that already possess specific permissions.
The company said the vulnerabilities were identified during ongoing internal security assessments with assistance from publicly available artificial intelligence models, including Anthropic Claude Opus 4.8, alongside BeyondTrust's proprietary security research tooling. The use of AI-supported analysis reflects a growing trend of incorporating large language models into vulnerability research to assist security teams in identifying potential weaknesses alongside conventional testing techniques.
According to BeyondTrust, the most severe vulnerabilities could allow authentication bypass and unauthorized access when affected systems are configured in specific ways. The remaining flaws could result in service disruption, unintended access to data, or expanded privileges for authenticated users under defined conditions, potentially affecting the confidentiality, availability, and integrity of vulnerable systems.
The vulnerabilities have been resolved in Remote Support version 25.3.3 and later and Privileged Remote Access version 25.3.3 and later. Organizations running version 25.3.2 or earlier of either product are advised to upgrade to the latest available release to mitigate the disclosed risks.
BeyondTrust stated that it has not observed evidence of the newly disclosed vulnerabilities being exploited in the wild. Nevertheless, the company noted that its Remote Support and Privileged Remote Access products have previously been targeted by threat actors. Earlier vulnerabilities, including CVE-2024-12356 and CVE-2026-1731, were exploited to deploy web shells and backdoors on compromised appliances, demonstrating the continued interest of attackers in enterprise remote access infrastructure. Given that history and the privileged role these products play within enterprise environments, organizations are encouraged to apply the available security updates promptly to reduce their exposure to potential attacks.