BeyondTrust patches two critical bugs that let attackers walk past the login screen

The remote-access vendor rushed out fixes for four flaws in its Remote Support and Privileged Remote Access products, two of which allow unauthenticated attackers to reach powerful admin accounts under certain configurations.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a dimly lit server room with a single rack door left ajar, blue and amber indicator lights glowing on network appliances
Share

Key points

  • BeyondTrust patched two critical authentication-bypass flaws, CVE-2026-40138 and CVE-2026-40139, in its Remote Support and Privileged Remote Access products on April 21, 2026.
  • Both bugs allow attackers with no login credentials to reach vulnerable appliances, including accounts with elevated privileges, when a specific authentication setting is enabled.
  • Cloud customers were patched automatically; self-hosted customers must install the April rollup or upgrade to version 25.3.3 or later.
  • Two additional high-severity flaws, CVE-2026-40140 and CVE-2026-40141, were fixed in the same batch and can be used to knock services offline or reach restricted data.
  • Earlier BeyondTrust bugs were used by the Chinese state-linked group Silk Typhoon to break into the U.S. Treasury Department in late 2024.

BeyondTrust has told customers to patch four security holes in its remote-access software, two of them serious enough that a stranger on the internet could stroll into a company's systems without a password.

The company sells tools that let IT staff log into machines from a distance to fix problems. Its Remote Support product handles helpdesk sessions. Privileged Remote Access controls how contractors and administrators reach sensitive servers. Both are widely used inside banks, hospitals and government agencies.

The most serious flaw, CVE-2026-40138, is what security people call an authentication bypass. In plain terms, the login check on the appliance can be tricked, so an attacker who should be blocked gets waved through, sometimes straight into an administrator account. It affects Remote Support and Privileged Remote Access versions 25.3.2 and earlier.

The second critical bug, CVE-2026-40139, sits in the way Remote Support handles login requests. A remote attacker with no account can abuse it to reach systems they should never see.

BeyondTrust said both bugs only work when a particular authentication setting is switched on. It did not say which one.

Two more flaws were fixed in the same round. CVE-2026-40140 and CVE-2026-40141 are rated high severity and can be used to crash the service or reach data that should be restricted.

How did the hackers get in?

Nobody has, yet. BeyondTrust says it has no evidence any of the four new bugs were used in attacks before the patch shipped. The fix landed for cloud customers on April 21, 2026. Self-hosted customers need to install the April security rollup or move to Remote Support 25.3.3 or Privileged Remote Access 25.3.3 and above.

The worry is history. BleepingComputer first reported the disclosure, and it lands against a backdrop of BeyondTrust flaws being weaponised repeatedly.

Earlier this year, CVE-2026-1731, a pre-authentication remote code execution bug in the same products, was used to open hidden communication channels and drop ransomware, which is malicious software that locks a company's files until a payment is made, on victim networks.

In late 2024, two zero-day flaws (CVE-2024-12356 and CVE-2024-12686) in BeyondTrust's software were exploited by Silk Typhoon, a Chinese state-backed spying group. A zero-day means a bug the maker did not know about when attacks began. Silk Typhoon stole an API key, a kind of digital pass that software uses to talk to other software, and used it to break into 17 Remote Support cloud instances.

One of those belonged to the U.S. Treasury Department. The group also targeted the Committee on Foreign Investment in the United States, which vets foreign deals for security risks, and the Office of Foreign Assets Control, which runs U.S. sanctions.

The pattern is clear enough. Remote-access appliances sit at the edge of the network, they hold powerful credentials, and every fresh bug in one is a gift to intruders. Administrators running BeyondTrust gear should treat this week's patches as urgent, not routine.

Ordinary customers of companies that use BeyondTrust do not need to do anything themselves. Watch for notices from your bank, employer or health provider if a breach is later disclosed.

© 2026 Threat Vectr