BeyondTrust has patched two critical authentication bypass flaws in its Remote Support and Privileged Remote Access products, warning that exposed instances could let unauthenticated attackers access protected appliances under specific configurations. The company also fixed two high-severity issues, while prior BeyondTrust flaws have been used in attacks against U.S. government systems and linked to #SilkTyphoon and #CVE-2026-1731.
Keypoints
- CVE-2026-40138 affects BeyondTrust RS and PRA versions 25.3.2 or earlier.
- CVE-2026-40139 can let unauthenticated remote attackers gain unauthorized access.
- Two additional flaws, CVE-2026-40140 and CVE-2026-40141, may cause denial-of-service or restricted resource access.
- BeyondTrust says cloud customers were patched automatically on April 21, 2026.
- Shadowserver tracks nearly 2,000 BeyondTrust RS and PRA instances exposed online.