VULNERABILITY

BeyondTrust Patches Two 9.2-Rated Auth Bypass Flaws in Remote Support and PRA

BeyondTrust shipped fixes for four vulnerabilities in Remote Support and Privileged Remote Access, including two pre-auth bypass flaws rated CVSS 9.2 that let unauthenticated attackers seize appliance accounts with elevated privileges. A third bug (8.7) enables denial-of-service and a fourth (8.5) lets low-privilege users reach data beyond their scope. Given the repeated in-the-wild exploitation of prior RS/PRA CVEs, upgrading to RS/PRA 25.3.3 is urgent.

Matt Lucas  |  July 7, 2026  |  5 min
BeyondTrust Patches Two 9.2-Rated Auth Bypass Flaws in Remote Support and PRA — editorial hero illustration
9.2
CVSS, two pre-auth bypasses
4
CVEs patched
25.3.3
Fixed version
0
Auth needed for worst case
TL;DR
  • What: BeyondTrust patched four flaws in Remote Support and Privileged Remote Access, including two CVSS 9.2 pre-authentication bypasses (CVE-2026-40138, CVE-2026-40139).
  • Impact: Under specific auth configurations, an unauthenticated network-positioned attacker can bypass access controls and take over appliance accounts with elevated privileges.
  • Fix / mitigation: Upgrade to Remote Support RS 25.3.3+ and Privileged Remote Access PRA 25.3.3+; versions 25.3.2 and lower are vulnerable.
  • Who's at risk: Any organization running BeyondTrust RS or PRA appliances 25.3.2 or below, especially internet-facing deployments.

BeyondTrust has patched four vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products, two of them rated CVSS 9.2. Both top-severity bugs are pre-authentication auth bypasses: an attacker with network access and no credentials can defeat access controls and land on the appliance in an account that includes elevated privileges. The fixes ship in RS 25.3.3 and PRA 25.3.3. Anything 25.3.2 or lower is exposed.

These are the products that broker privileged remote sessions into your environment. A compromised RS or PRA appliance is not a foothold on some isolated box, it is a position that sits above the credentials and sessions used to administer other systems. That is why prior flaws in this product line have been chained into web shell and backdoor deployments in the wild.

The four CVEs

The configuration caveats that matter

Read the fine print before you assume you are safe. Exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled. CVE-2026-40141 is restricted to accounts holding specific permissions. That narrows the blast radius for some deployments, but it does not change the response: you cannot audit every appliance's config faster than you can push the patch, and the config that makes you vulnerable is a common one for organizations using federated or SSO-style authentication. Treat all four as reachable until you have upgraded.

Patch now, do not wait for exploitation reports

BeyondTrust reports no in-the-wild exploitation of these four CVEs. That is cold comfort. Two earlier RS/PRA flaws, CVE-2024-12356 and CVE-2026-1731, came under repeated exploitation and were used to drop web shells and backdoors. Pre-auth bypasses on privileged-access appliances are exactly the class of bug attackers reverse-engineer from patches within days.

How these were found

BeyondTrust says it identified all four internally during ongoing security assessments, with help from publicly available AI models, naming Anthropic's Claude Opus 4.8, alongside its own proprietary research tooling. That is a notable data point on both sides of the fence: vendors are now using frontier models to surface vulnerability classes at scale, and so are the people who will race to weaponize the patch diff. The finding pipeline is getting faster for everyone, which compresses your window to act.

What to do

Bottom line

Two unauthenticated paths to a privileged account on the appliance that governs your privileged access. That is the worst possible place to carry a 9.2. No public exploitation yet, but the patch is out, the bug class is well understood, and the historical pattern for RS and PRA is repeated real-world abuse. Move to 25.3.3 this week, then verify you were not already touched.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us