CVE-2026-40140

BeyondTrust · Remote Support and Privileged Remote Access

A pre-authentication vulnerability in the network communication subsystem of BeyondTrust Remote Support and Privileged Remote Access allows for uncontrolled resource consumption.

Executive summary

A critical pre-authentication vulnerability in BeyondTrust Remote Support and Privileged Remote Access allows unauthenticated attackers to trigger uncontrolled resource consumption, potentially causing a denial-of-service.

Vulnerability

This is a pre-authentication resource consumption vulnerability (CWE-400) located within the network communication subsystem. An unauthenticated remote attacker can exploit this flaw to exhaust system resources, leading to service disruption.

Business impact

The vulnerability carries a CVSS score of 8.7, indicating high severity due to the ease of exploitation (no authentication required). Successful exploitation could result in significant system downtime, preventing legitimate users from accessing critical remote support or privileged access management tools, thereby disrupting IT operations and administrative workflows.

Remediation

Immediate Action: Upgrade to version 26.2.1, 25.3.3, or later as specified in the vendor security advisory (BT26-03).

Proactive Monitoring: Monitor system performance metrics for sudden spikes in resource utilization and review network traffic logs for anomalous patterns directed at the communication subsystem.

Compensating Controls: Implement rate limiting or blocking at the network perimeter for unauthorized or suspicious traffic patterns attempting to interact with the appliance's communication ports.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS score and the ability for unauthenticated attackers to impact system availability, organizations should prioritize patching these BeyondTrust appliances immediately. Ensure all instances are updated to the non-vulnerable versions provided by the vendor to prevent potential service disruption.