BeyondTrust
Vulnerabilities and patches across BeyondTrust's remote-access and privileged-access product line — Remote Support (RS), Privileged Remote Access (PRA), and adjacent PAM appliances whose compromise typically hands attackers a foothold in the vendor-and-third-party access path into an enterprise.
BeyondTrust Remote Support / PRA pre-auth authentication bypass
A pre-authentication authentication-bypass flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). Improper validation of authentication data may let a network-positioned attacker bypass access controls and reach appliance accounts, including elevated ones. Vendor labels the flaw "critical" in its advisory; NVD scores it CVSS 8.1 (high). Patched in the 2026-07-06 coordinated release; exploitation requires a specific authentication configuration to be enabled.
BeyondTrust Remote Support pre-auth authentication bypass (critical)
A critical (CVSS 9.8) pre-authentication authentication-bypass flaw in BeyondTrust Remote Support (RS). Improper processing of authentication requests may let an unauthenticated remote attacker bypass access controls and reach appliance accounts, including elevated ones. Patched in the 2026-07-06 coordinated release; exploitation requires a specific authentication configuration to be enabled.
BeyondTrust Remote Support / PRA pre-auth denial of service
A high-severity (CVSS 7.5) pre-authentication denial-of-service flaw in BeyondTrust Remote Support and Privileged Remote Access. Insufficient validation of client-supplied input in the network communication subsystem may let an unauthenticated remote attacker trigger a DoS condition against appliance availability. Patched in the 2026-07-06 coordinated release.
BeyondTrust Remote Support / PRA authenticated authorization bypass
A critical (CVSS 9.9) authenticated authorization-bypass flaw in a web-application component of BeyondTrust Remote Support and Privileged Remote Access. Insufficient input validation may let an authenticated attacker with limited privileges reach data or resources beyond their authorization scope. Exploitation is restricted to accounts with specific permissions. Patched in the 2026-07-06 coordinated release.
