BeyondTrust Remote Support / PRA pre-auth denial of service
A high-severity (CVSS 7.5) pre-authentication denial-of-service flaw in BeyondTrust Remote Support and Privileged Remote Access. Insufficient validation of client-supplied input in the network communication subsystem may let an unauthenticated remote attacker trigger a DoS condition against appliance availability. Patched in the 2026-07-06 coordinated release.
- Vendor
- BeyondTrust
- Product
- Remote Support (RS) and Privileged Remote Access (PRA)
- CVSS
- 7.5
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-40140 is a pre-authentication denial-of-service flaw in BeyondTrust Remote Support and Privileged Remote Access. Per NVD’s record: “insufficient validation of client-supplied input may allow an unauthenticated remote attacker to trigger a denial-of-service condition affecting appliance availability.” NVD scores it CVSS 7.5 (high).
The flaw impacts availability only — not confidentiality or integrity — but on an appliance mediating vendor and third-party privileged access, a DoS is not neutral: it removes the operational path administrators use to reach systems during an active incident, which is exactly when reachability matters most.
Advisory context
CVE-2026-40140 is one of four vulnerabilities BeyondTrust disclosed and patched in the same 2026-07-06 coordinated release, alongside CVE-2026-40138 (pre-auth auth bypass, CVSS 8.1 high per NVD), CVE-2026-40139 (pre-auth auth bypass, CVSS 9.8 critical), and CVE-2026-40141 (authenticated authorization bypass, CVSS 9.9 critical).
What to do
Apply BeyondTrust’s 2026-07-06 patches. The auth-bypass flaws in the same bundle set the timeline; this DoS ships with them and does not require a separate deploy window. See the article writeup for the full response.
NVD’s canonical record for this CVE is here.
