Mastodon Mastodon Mastodon Mastodon

BeyondTrust Remote Support and PRA: four flaws and AI discovery

Photo of author

CyberSecureFox Editorial Team

Published:

BeyondTrust has released updates for its Remote Support (RS) and Privileged Remote Access (PRA) products that fix four vulnerabilities, two of which have been assigned a critical CVSS 9.2 rating. The most severe flaws allow an unauthenticated attacker to bypass access control mechanisms and gain unauthorized access to a device, including accounts with elevated privileges. Affected are RS versions 25.3.2 and below, as well as PRA versions 25.3.2 and below – fixes are available starting from version 25.3.3 for both products. Organizations using these solutions should update immediately.

Technical analysis of the vulnerabilities

All four vulnerabilities affect the authentication and network communication subsystems of BeyondTrust products. Three of them are pre-authentication issues — exploiting them does not require prior authorization.

Critical authentication bypass vulnerabilities

  • CVE-2026-40138 (CVSS 9.2) — a pre-authentication vulnerability in the Remote Support and Privileged Remote Access authentication subsystem. It is caused by improper validation of authentication data. It allows an attacker with network access to the device to bypass access control and gain unauthorized access, including privileged accounts.
  • CVE-2026-40139 (CVSS 9.2) — a pre-authentication vulnerability in the Remote Support authentication subsystem. It is related to improper handling of authentication requests. It allows a remote unauthenticated attacker to bypass access control and gain access to the device with elevated privileges.

An important qualification: successful exploitation of both critical vulnerabilities is possible only under certain authentication configurations. This significantly narrows the attack surface, although it does not remove the need to update — organizations do not always control or even know which configurations are active in their environment.

Medium-severity vulnerabilities

  • CVE-2026-40140 (CVSS 8.7) — a pre-authentication vulnerability in the network communication subsystem. Insufficient validation of client-supplied input allows an unauthenticated remote attacker to cause a denial of service, disrupting the availability of the device.
  • CVE-2026-40141 (CVSS 8.5) — a vulnerability in the Remote Support and Privileged Remote Access web application component. Insufficient validation of user input allows an authenticated attacker with limited privileges to gain access to resources and data outside their authorization scope. Exploitation is limited to accounts with specific permissions.

Notable aspect: the role of AI in discovery

BeyondTrust indicated that all four vulnerabilities were discovered internally as part of ongoing security assessments, with the company using publicly available artificial intelligence models, in particular Anthropic Claude Opus 4.8, as well as its own research tools. This is one of the more visible examples of a vendor openly stating the use of generative AI in the process of auditing the security of its own products. The approach deserves attention: proactively discovering vulnerabilities before they are exploited is a far more advantageous strategy than responding to incidents after the fact.

Impact assessment

BeyondTrust Remote Support and Privileged Remote Access products are widely used in the enterprise sector for remote technical support and management of privileged access. Compromise of such systems can give an attacker direct access to an organization’s critical infrastructure, since by their nature these solutions hold broad privileges in target environments.

According to the official BeyondTrust advisory, at the time of publication there is no confirmed evidence of active exploitation of the new vulnerabilities. None of the four CVEs has been added to the CISA KEV catalog. Nevertheless, RS and PRA products have previously been targeted in attacks — which makes prompt updating a priority.

Recommendations

  1. Update Remote Support and Privileged Remote Access to version 25.3.3 or later.
  2. Review your authentication configuration — determine whether settings are enabled under which CVE-2026-40138 and CVE-2026-40139 can be exploited. If updating is not immediately possible, consider temporarily changing the configuration.
  3. Audit accounts with permissions potentially exposed to CVE-2026-40141, and restrict privileges to the minimum necessary.
  4. Review logs on RS and PRA devices for anomalous authentication attempts and unauthorized access to resources.
  5. Limit network access to management interfaces of BeyondTrust devices if they are reachable from untrusted networks.

Given the critical CVSS 9.2 scores for two of the vulnerabilities and the strategic value of remote access products as an attack vector, updating to version 25.3.3 should be carried out as soon as possible — even in the absence of confirmed exploitation. Dependence on specific configurations reduces but does not eliminate risk: after CVE publication, the window for safe updating narrows with each passing day.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.