Back to Blog
CVE-2026-40138/9/40/41: BeyondTrust Remote Access — Critical Pre-Auth Bypass (July 2026)
vulnerabilities

CVE-2026-40138/9/40/41: BeyondTrust Remote Access — Critical Pre-Auth Bypass (July 2026)

breachwire TeamJul 8, 20262 min read

CVE-2026-40138/9/40/41 — BeyondTrust Remote Access

Four critical vulnerabilities (CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, CVE-2026-40141) affect BeyondTrust Remote Support and Privileged Remote Access (versions 25.3.2 and below). These pre-authentication flaws allow unauthenticated attackers to bypass access controls, potentially gaining privileged access or causing denial-of-service. No public exploitation reported yet, but previous BeyondTrust vulnerabilities have been weaponized for web shell and backdoor deployment.

Attack Vector

Attackers can exploit these flaws remotely without authentication. By sending crafted requests to vulnerable endpoints, adversaries can bypass authentication checks, escalate privileges, or disrupt appliance availability. No user interaction is required. The vulnerabilities enable access to sensitive data and administrative functions, and may facilitate lateral movement if compromised credentials or session tokens are obtained. Past incidents show exploitation can lead to persistent access via web shells.

Who Is at Risk

All organizations running BeyondTrust Remote Support or Privileged Remote Access appliances at version 25.3.2 or earlier are exposed. Both on-premises and cloud deployments are affected. BeyondTrust confirms these vulnerabilities impact their global customer base. Immediate action is required for any environment with internet-exposed management interfaces.

Patch & Mitigate

  • Patch: Upgrade BeyondTrust Remote Support and Privileged Remote Access to the latest version above 25.3.2 immediately.
  • Workaround: If patching is delayed, restrict network access to management interfaces and monitor for anomalous login attempts.
  • Detect: Review appliance logs for unexpected authentication events, failed logins, or suspicious access to administrative endpoints. Monitor for new or modified files in web server directories indicating web shell activity.

MITRE ATT&CK

  • TA0001 — Initial Access: Vulnerabilities enable attackers to gain a foothold without credentials.
  • TA0005 — Defense Evasion: Exploitation can bypass authentication and evade standard access controls.
  • TA0009 — Collection: Attackers may access sensitive data or credentials post-compromise.

Source: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: