CVE-2026-40139
BeyondTrust · Remote Support and Privileged Remote Access
A pre-authentication vulnerability in BeyondTrust Remote Support and Privileged Remote Access allows unauthenticated attackers to bypass access controls and gain unauthorized administrative access.
Executive summary
A critical vulnerability in BeyondTrust remote access appliances could allow unauthenticated attackers to achieve full system compromise, representing a severe risk to organizational security.
Vulnerability
This is an authentication bypass vulnerability (CWE-287) located within the appliance authentication subsystem. An unauthenticated remote attacker can exploit improper request processing to gain elevated privileges, provided a specific authentication configuration is enabled.
Business impact
Successful exploitation grants an attacker complete unauthorized access to the appliance, effectively neutralizing the security perimeter provided by the remote access solution. Given the CVSS score of 9.2, this vulnerability poses a critical threat to data confidentiality and integrity, potentially allowing attackers to pivot into the internal network or harvest sensitive credentials.
Remediation
Immediate Action: Upgrade BeyondTrust Remote Support and Privileged Remote Access appliances to version 26.2.1, 25.3.3, or the latest available release as specified by the vendor advisory.
Proactive Monitoring: Review appliance access logs for anomalous authentication patterns or unexpected administrative sessions originating from unknown sources.
Compensating Controls: Restrict access to the administrative interface of the appliance to known, trusted IP addresses using network-level access control lists (ACLs) until patching is complete.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability represents a significant risk to the integrity of remote access infrastructure. Administrators must prioritize updating these appliances immediately, as the ability for an unauthenticated attacker to gain administrative access constitutes a total system compromise.