BeyondTrust Fixes Critical RS, PRA 0-Day Flaws Allowing Auth Bypass, RCE
BeyondTrust has disclosed multiple critical and high-severity vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) appliances, exposing organizations to authentication bypass, denial-of-service attacks, and unauthorized data access.
Tracked under advisory BT26-03, the flaws carry a maximum CVSS v4 score of 9.2 and were uncovered through BeyondTrust’s AI-driven vulnerability research program, which combines publicly available AI models with proprietary security tools.
The most severe issues strike at the authentication subsystem itself. Improper validation and processing of authentication data could let unauthenticated attackers bypass access controls entirely, gaining full control of affected appliances.
In certain configurations, successful exploitation could compromise privileged accounts, dramatically raising the risk of lateral movement and enterprise-wide breaches.
For organizations that depend on BeyondTrust for secure remote access and privileged session management, these flaws are especially alarming since they erode the core trust boundaries the platform is built to enforce.
According to BeyondTrust’s advisory, exploiting the critical flaws requires specific authentication configurations to be active. Crucially, no user interaction is needed, making these vulnerabilities attractive targets for remote, automated attacks.
Beyond the authentication bypass issues, additional flaws could trigger denial-of-service (DoS) conditions through uncontrolled resource consumption, or let authenticated attackers with limited privileges access unauthorized data due to improper input handling in web application components.
BeyondTrust confirmed that cloud-hosted customers were automatically patched as of April 21, 2026. Self-hosted deployments, however, remain exposed until administrators apply updates manually.
Organizations running RS or PRA versions 25.3.2 or earlier should immediately apply the April 2026 security rollup or upgrade to version 25.3.3 or later to close the exposure window.
Security teams should prioritize patching internet-facing appliances first and review authentication configurations closely, since attackers could potentially chain the authentication bypass with privilege escalation or data access flaws to amplify overall impact.
The most critical entry, CVE-2026-40138, carries a CVSS score of 9.2 and stems from improper authentication (CWE-287) in both RS and PRA, allowing unauthenticated attackers to bypass access controls and gain elevated access under specific configurations.
Closely related is CVE-2026-40139, also rated critical at 9.2, which involves an authentication processing flaw in Remote Support that enables remote attackers to bypass authentication entirely and access privileged accounts directly.
On the availability side, CVE-2026-40140 is rated high with a CVSS score of 8.7 and results from uncontrolled resource consumption (CWE-400), letting unauthenticated attackers trigger denial-of-service conditions that disrupt appliance availability.
Rounding out the disclosure, CVE-2026-40141 is also high severity at 8.5 and arises from improper input neutralization (CWE-943), which allows authenticated low-privileged users to access unauthorized data or resources they shouldn’t be able to reach.
MItigation
Given the severity and remote exploitability of these flaws, BeyondTrust urges affected organizations to move quickly. Applying the April 2026 security rollup or upgrading to version 25.3.3 or later should be treated as an immediate priority rather than routine maintenance, particularly since no user interaction is required for exploitation.
Alongside patching, security teams should audit authentication logs for suspicious or anomalous login activity and restrict external, internet-facing exposure of remote access infrastructure wherever feasible.
Reviewing current authentication configurations is equally important, as it can help identify risky settings tied directly to the disclosed flaws before attackers have a chance to exploit them.
No Comment! Be the first one.