BeyondTrust Remote Support pre-auth authentication bypass (critical)
A critical (CVSS 9.8) pre-authentication authentication-bypass flaw in BeyondTrust Remote Support (RS). Improper processing of authentication requests may let an unauthenticated remote attacker bypass access controls and reach appliance accounts, including elevated ones. Patched in the 2026-07-06 coordinated release; exploitation requires a specific authentication configuration to be enabled.
- Vendor
- BeyondTrust
- Product
- Remote Support (RS)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-40139 is the more severe of the two pre-authentication auth-bypass flaws BeyondTrust disclosed on 2026-07-06 (the other being CVE-2026-40138). Per NVD’s record: “improper processing of authentication requests may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled.” NVD scores it CVSS 9.8 critical; BeyondTrust’s own advisory also calls it critical.
The scoping difference from CVE-2026-40138 matters operationally: -40139 lists Remote Support only, not the combined RS + PRA scope of -40138.
Advisory context
CVE-2026-40139 is one of four vulnerabilities BeyondTrust disclosed and patched in the same 2026-07-06 coordinated release, alongside CVE-2026-40138 (pre-auth auth bypass, RS + PRA, CVSS 8.1 high per NVD), CVE-2026-40140 (pre-auth DoS, CVSS 7.5 high), and CVE-2026-40141 (authenticated authorization bypass, CVSS 9.9 critical). No in-wild exploitation has been reported at time of publication.
What to do
Apply BeyondTrust’s 2026-07-06 Remote Support patches immediately. The 9.8 pre-auth bypass on an appliance whose function is gating privileged third-party access into an enterprise is the exact profile — internet-exposed management surface, high-value pivot target — that has driven the last three years of KEV additions in this category. Patch first, then verify the specific authentication configuration language in the advisory against your deployment. See the article writeup for priority ordering.
NVD’s canonical record for this CVE is here.
