BeyondTrust Patches Four RS/PRA Flaws — Patch Now
BeyondTrust shipped fixes on July 6 for four vulnerabilities in Remote Support and Privileged Remote Access, including a CVSS 9.8 pre-auth bypass. No in-wild exploitation reported. Here's the priority order.
BeyondTrust pushed fixes on July 6 for four vulnerabilities in Remote Support (RS) and Privileged Remote Access (PRA). Two are pre-authentication authentication bypasses — CVE-2026-40138 (CVSS 8.1 high per NVD; BeyondTrust’s own advisory calls it critical) and CVE-2026-40139 (CVSS 9.8 critical). One is a pre-auth denial of service, CVE-2026-40140 (CVSS 7.5 high). One is an authenticated authorization bypass, CVE-2026-40141 (CVSS 9.9 critical). The Hacker News wrote up the coordinated release and BleepingComputer covered it separately. NVD published all four records on 2026-07-06.
No in-wild exploitation has been reported. If your organization runs BeyondTrust RS or PRA — the appliances that broker vendor and third-party privileged access into your estate — this is the vendor-advisory patch cycle you want to close before it becomes a KEV addition instead.
What changed
BeyondTrust released updates for both Remote Support and Privileged Remote Access covering all four CVEs at once. The scoping across the bundle is worth reading closely because it drives triage:
- CVE-2026-40139 — pre-auth auth bypass, CVSS 9.8 critical, Remote Support only. NVD language: “improper processing of authentication requests may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled.”
- CVE-2026-40138 — pre-auth auth bypass, CVSS 8.1 high (NVD) / “critical” (vendor), Remote Support and PRA. Same class as -40139, same “specific authentication configuration” prerequisite in the NVD entry. Vendor scoring and NVD scoring diverge here; we go with the NVD score for the severity badge and flag the vendor’s framing so you can decide which reflects your deployment.
- CVE-2026-40141 — authenticated authorization bypass, CVSS 9.9 critical, RS and PRA. Requires an authenticated user with “specific permissions” to reach data or resources beyond their authorization scope. On a shared support-vendor deployment those permissions live on exactly the accounts an attacker with a phished foothold would target next.
- CVE-2026-40140 — pre-auth DoS, CVSS 7.5 high, RS and PRA. Availability impact only. On an appliance that brokers privileged access, availability during an incident is not neutral.
The single most important line across all four writeups is the “specific authentication configuration to be enabled” language on the pre-auth bypasses. That is a gate on reachability, not an excuse to defer patching. Verify which configuration is in scope against your own deployment — if it’s not on, you’re not reachable today; if it is on, you’re reachable and this is a same-week patch, not a next-window patch.
The other line worth naming: no PoC, no public exploitation as of publication. The honest timeline on advisories in this product class — vendor appliances that broker privileged access into an enterprise — is roughly: patch out, quiet week, PoC surfaces, exploitation curve broadens. See Kemp LoadMaster CVE-2026-8037 three weeks ago for the same shape at higher speed. Assume you have days to weeks on this one, not months.
What to actually do
1. Patch this week.
Apply BeyondTrust’s 2026-07-06 updates to Remote Support and Privileged Remote Access on every appliance you run. Both cloud-hosted BeyondTrust instances (managed by the vendor) and on-prem/self-managed appliances are in scope; verify which model applies to each appliance in your inventory. If you have a mix — self-hosted RS instances behind an old acquisition, plus a modern PRA rollout on cloud — patch the self-hosted appliances first. That’s where you have both the exposure and the operational responsibility.
2. Verify the “specific authentication configuration” against your deployment.
Read BeyondTrust’s advisory for the exact configuration option that makes the pre-auth bypasses (-40138 and -40139) reachable. If the option is off in your environment, you have a defense-in-depth reason to sequence non-BeyondTrust work ahead of this — but do not use “not currently reachable” as a reason to skip the patch. Configuration changes ship in the wrong direction routinely; verify at deploy time and every time.
3. Restrict the management surface, if you haven’t already.
BeyondTrust’s Remote Support and PRA management interfaces should be reachable from a management network or VPN, not the public internet, unless there is a documented business reason otherwise. This is standard vendor hardening for the product family and has been for years. A pre-auth bypass on a management surface exposed to the internet is the exact profile that produced the last three years of appliance-KEV entries in this category — F5 BIG-IP iControl REST, Citrix Bleed, Ivanti Connect Secure, Kemp LoadMaster. Same shape, different vendor.
4. Once patched, audit account use for the last 30 days.
Nothing published so far indicates in-wild exploitation. That is not the same as a clean read. Pull the last 30 days of admin and service-account login records on RS and PRA, look for authentications from unfamiliar source addresses or geolocations, and confirm any privilege escalations trace back to a request you can identify. Fold the accounts with the “specific permissions” mentioned in -40141 into a targeted review list — even if the exploitation isn’t there yet, those accounts are exactly where you’d look first if it turned up next month.
5. Watch for follow-on advisories.
Vendor advisories on RS/PRA sometimes ship in staged bundles as customer telemetry lands. Keep an eye on BeyondTrust’s PSIRT feed through the end of the month; if a fifth CVE-2026-4014x lands with an in-wild exploitation note, treat this article’s response as the first pass of a two-part patch cycle, not the whole thing.
Priority call
Patch this week. In an environment with both Remote Support and PRA, patch RS first — the 9.8 pre-auth bypass on -40139 is Remote Support only, and 40138’s shared scope means PRA-only appliances are covered on the same wave.
If you have to defer any of it (you shouldn’t), defer the DoS. CVE-2026-40140 is availability-impact only, and a well-restricted management network gives you time on it. Do not defer the auth bypasses. A pre-auth bypass on the appliance that brokers vendor access into your enterprise is the sort of thing that shows up on KEV the week after somebody’s incident goes public, and that timeline is not one you get to opt out of.
Sourcing
- The Hacker News. BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA. July 7, 2026.
- BleepingComputer. BeyondTrust warns of critical flaws in remote access software. July 7, 2026.
- NVD records: CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, CVE-2026-40141.
Found this useful? Share it.