BeyondTrust Rushes Fixes for Two Critical Flaws That Let Attackers Walk Into Remote Support Tools
The company's Remote Support and Privileged Remote Access products carry pre-authentication bugs rated 9.2 on the severity scale, meaning attackers need no password to break in.

Key points
- BeyondTrust released patches for two critical flaws in its Remote Support (RS) and Privileged Remote Access (PRA) products.
- CVE-2026-40138 carries a CVSS score of 9.2 and can be triggered before an attacker logs in.
- The bugs let unauthenticated attackers take control of vulnerable installations.
- BeyondTrust products are widely used by IT help desks and third-party contractors to reach sensitive internal systems.
- Customers running self-hosted appliances should apply the vendor updates immediately.
BeyondTrust has shipped emergency updates for two critical security holes in tools that companies rely on to give remote help-desk access to their own machines.
The flaws sit in Remote Support (RS) and Privileged Remote Access (PRA). Both products let IT staff, and sometimes outside contractors, connect into a company's computers to fix problems or run privileged tasks.
The most serious bug is tracked as CVE-2026-40138, with a severity score of 9.2 out of 10. It is a pre-authentication vulnerability, which in plain English means an attacker does not need a username or password to set it off. They just need to be able to reach the appliance over the network.
A second flaw, disclosed at the same time, carries a similar risk profile. Together they can let an outsider take control of the very system that is designed to hold the keys to everything else.
The issue was first reported by The Hacker News.
Why does this matter beyond the IT department?
Because these are the tools that reach into everything else.
Remote Support and PRA are used by banks, hospitals, government agencies and large retailers to let technicians open a session on an employee's laptop, a server, or a database. If someone breaks into that pipe, they inherit the same reach the technicians have. That can mean payroll systems, patient records, or point-of-sale terminals.
BeyondTrust is the same vendor that was at the centre of a state-linked intrusion at the US Treasury Department in late 2024, which is one reason regulators and large customers watch its advisories closely.
What customers should do now
BeyondTrust's own security advisory is the authoritative source, and it lists the fixed versions for each supported release train. Administrators should:
- Apply the vendor's patch or hotfix to every RS and PRA appliance, on-premise or self-hosted.
- Check appliance logs for unusual sessions or configuration changes dating back several weeks, not just since the advisory.
- Restrict management interfaces to trusted networks where possible while patching is in progress.
Cloud-hosted customers, where BeyondTrust runs the appliance itself, are typically patched by the vendor. On-premise customers have to move themselves.
What this means for ordinary people
Most readers will never touch a BeyondTrust console. But if your employer, your bank, or your hospital uses one, this is the kind of flaw that quietly matters. A break-in here does not look like a phishing email in your inbox. It looks like a legitimate IT session, from a legitimate tool, doing things it should not.
There is nothing an individual customer or patient can do about that directly. What you can do is treat unexpected "IT support" contact with suspicion. Real technicians do not cold-call and ask for codes.
Regulatory angle
US-listed companies that run affected BeyondTrust appliances should note that a successful exploit could trigger disclosure obligations under the SEC's cybersecurity rules at 17 CFR 229.106, which require reporting of material cybersecurity incidents on Form 8-K Item 1.05 within four business days of a materiality determination. Whether this specific flaw rises to that bar depends on facts each registrant will have to assess. The rules are final, not proposed, and have been in force since December 2023.
Expect further guidance from BeyondTrust as more customers finish patching and any exploitation activity becomes visible.



