Skip to content
feed: live
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-40140

BeyondTrust Remote Support / PRA pre-auth denial of service

A high-severity (CVSS 7.5) pre-authentication denial-of-service flaw in BeyondTrust Remote Support and Privileged Remote Access. Insufficient validation of client-supplied input in the network communication subsystem may let an unauthenticated remote attacker trigger a DoS condition against appliance availability. Patched in the 2026-07-06 coordinated release.

cat cve-2026-40140.json
Vendor
BeyondTrust
Product
Remote Support (RS) and Privileged Remote Access (PRA)
CVSS
7.5
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-40140 is a pre-authentication denial-of-service flaw in BeyondTrust Remote Support and Privileged Remote Access. Per NVD’s record: “insufficient validation of client-supplied input may allow an unauthenticated remote attacker to trigger a denial-of-service condition affecting appliance availability.” NVD scores it CVSS 7.5 (high).

The flaw impacts availability only — not confidentiality or integrity — but on an appliance mediating vendor and third-party privileged access, a DoS is not neutral: it removes the operational path administrators use to reach systems during an active incident, which is exactly when reachability matters most.

Advisory context

CVE-2026-40140 is one of four vulnerabilities BeyondTrust disclosed and patched in the same 2026-07-06 coordinated release, alongside CVE-2026-40138 (pre-auth auth bypass, CVSS 8.1 high per NVD), CVE-2026-40139 (pre-auth auth bypass, CVSS 9.8 critical), and CVE-2026-40141 (authenticated authorization bypass, CVSS 9.9 critical).

What to do

Apply BeyondTrust’s 2026-07-06 patches. The auth-bypass flaws in the same bundle set the timeline; this DoS ships with them and does not require a separate deploy window. See the article writeup for the full response.

NVD’s canonical record for this CVE is here.