BeyondTrust Fixes RS/PRA CVE-2026-40138 and More
BeyondTrust has published security advisory BT26-03 for four vulnerabilities in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) appliances. The flaws include two critical authentication issues (CVE-2026-40138, CVE-2026-40139) and two high-severity bugs that could affect availability or expose unauthorized data and resources (CVE-2026-40140, CVE-2026-40141).
The advisory carries an issue date of June 21, 2026, while BeyondTrust lists the public disclosure date as July 6, 2026. The company says its Product Security team identified the vulnerabilities during internal assessments, including AI-assisted vulnerability research supported by public models and proprietary tools.
Which BeyondTrust Vulnerabilities Are Included in BT26-03?
BT26-03 covers four vulnerabilities affecting BeyondTrust RS and PRA deployments. The most serious issues involve authentication logic and may allow unauthorized access before login when specific authentication configurations are in use.
CVE-2026-40138
CVE-2026-40138 (CVSS 9.2) is a critical pre-authentication vulnerability tied to the authentication subsystem in RS and PRA.
Under a specific authentication setup, the appliance may fail to properly validate authentication data. A network-positioned attacker could exploit that weakness to bypass access controls and access the appliance without valid authorization. In the worst case, this could include access to accounts with elevated privileges.

Details of CVE-2026-40138 (SOCRadar Vulnerability Intelligence)
CVE-2026-40139
CVE-2026-40139 (CVSS 9.2) is another critical authentication-related vulnerability. BeyondTrust’s description specifically references the RS authentication subsystem.
The issue involves improper handling of authentication requests. If the required authentication configuration is enabled, an unauthenticated attacker could bypass access checks and gain appliance access, potentially including elevated privileges.

Details of CVE-2026-40139 (SOCRadar Vulnerability Intelligence)
CVE-2026-40140
CVE-2026-40140 (CVSS 8.7) is a high-severity pre-authentication vulnerability in the network communication subsystem of RS and PRA.
The flaw relates to insufficient validation of client-supplied input. An attacker could abuse it without authentication to trigger a denial-of-service condition, which may disrupt appliance availability.

Details of CVE-2026-40140 (SOCRadar Vulnerability Intelligence)
CVE-2026-40141
CVE-2026-40141 (CVSS 8.5) is a high-severity issue in a web application component of RS and PRA.
Unlike the two critical authentication flaws, this issue requires authentication. An attacker with limited privileges and specific permissions could access resources or data outside their intended authorization scope.

Details of CVE-2026-40141 (SOCRadar Vulnerability Intelligence)
Which RS and PRA Versions Are Affected?
BeyondTrust lists the affected product lines and versions as:
- BeyondTrust Remote Support (RS) 25.3.2 or lower
- BeyondTrust Privileged Remote Access (PRA) 25.3.2 or lower
The listed fixed versions and remediation options are:
- RS 25.3.3 and above
- PRA 25.3.3 and above
- The relevant April 2026 Security Rollup for supported RS or PRA branches
How Are Cloud and Self-Hosted Deployments Patched?
BeyondTrust separates remediation guidance for cloud and self-hosted customers.
For cloud-hosted RS/PRA customers, BeyondTrust says it applied patches to all cloud instances on April 21, 2026. Even so, cloud customers may still want to confirm maintenance records for audit, compliance, or internal change management purposes.
For self-hosted customers, remediation depends on the deployed version and update path. Organizations should either upgrade to RS 25.3.3+ or PRA 25.3.3+, or apply the appropriate April 2026 Security Rollup for their supported branch.
Why Do These Vulnerabilities Matter?
RS and PRA often support sensitive remote access and privileged workflows. Organizations may use them to manage support sessions, control administrative access, and connect with identity providers. That makes authentication and authorization weaknesses in these platforms especially important.
The main risks are:
- Authentication bypass: CVE-2026-40138 and CVE-2026-40139 may allow access without valid credentials when the required configuration is present.
- Service disruption: CVE-2026-40140 could affect the availability of RS/PRA appliances.
- Unauthorized resource access: CVE-2026-40141 could allow limited-privilege users to reach data or resources outside their intended permissions.
These risks become more serious when RS/PRA appliances are internet-facing or accessible from broad network segments.
Is There Evidence of Exploitation or Public PoC for CVE-2026-40138, CVE-2026-40139, and Other Vulnerabilities?
As of July 7, 2026, BeyondTrust does not report active exploitation in the BT26-03 advisory. NVD records for the critical vulnerabilities also showed CISA ADP SSVC exploitation status as none at the time of review.
No reputable public proof-of-concept exploit was identified during the initial review. However, public disclosure can quickly change attacker interest, especially for pre-authentication vulnerabilities in remote access products. Teams should continue watching for vendor updates, exploit releases, scanning activity, and threat intelligence signals.
How Can SOCRadar Help You Track These Vulnerabilities?
Exploit availability, threat actor interest, public scanning activity, and external exposure all affect how quickly a vulnerability should move through the remediation queue.
SOCRadar’s Cyber Threat Intelligence capabilities support this process by tracking vulnerability-related threat signals, including exploit discussions, PoC developments, Dark Web mentions, and emerging attacker behavior. This helps your organization understand whether a newly disclosed vulnerability is gaining traction beyond the advisory itself.

SOCRadar’s Vulnerability Intelligence
SOCRadar’s Attack Surface Management (ASM) capabilities add the exposure layer by helping identify internet-facing assets and externally visible services. Together, CTI and ASM help security teams prioritize Vulnerability Intelligence based on both threat context and real-world exposure.
How Should Security Teams Respond?
1. Patch or Upgrade Self-Hosted RS and PRA
Security teams should prioritize self-hosted RS/PRA appliances, especially if they are internet-facing or reachable from broad internal networks.
Recommended actions include:
- Upgrade to RS 25.3.3+ and PRA 25.3.3+, or
- Apply the relevant April 2026 Security Rollup for the deployed RS/PRA branch.
2. Review Authentication Configuration
BeyondTrust says both critical vulnerabilities require a specific authentication configuration, but the public advisory does not identify the exact setting.
Security teams should:
- Review enabled authentication methods and integrations.
- Disable unused authentication paths where possible.
- Confirm that authentication policies match the intended access model.
- Pay close attention to externally reachable interfaces.
3. Reduce External Exposure
Exposure reduction should support patching, not replace it.
Organizations should avoid direct internet exposure of administrative interfaces unless required. Where possible, teams should restrict access through VPN, segmentation, IP allowlists, and tightly controlled ingress paths.
4. Monitor RS and PRA Activity
Even without confirmed exploitation, defenders should watch RS/PRA appliances for unusual activity, including:
- Unexpected pre-authentication traffic
- Authentication anomalies
- Request spikes that may indicate DoS probing
- New privileged accounts or role changes
- Unusual access to sensitive resources
What Is the BT26-03 Timeline?
- April 21, 2026: BeyondTrust says cloud RS/PRA instances were patched.
- June 21, 2026: BeyondTrust lists BT26-03 as issued and updated.
- July 6, 2026: BeyondTrust lists the advisory and CVEs publicly.
- July 7, 2026: NVD records remained in the early enrichment stage during review.
BT26-03 should be treated as a priority for self-hosted RS and PRA environments. Teams should confirm appliance versions, apply the correct security update, reduce unnecessary exposure, and monitor for signs that attackers are beginning to test these newly disclosed flaws.
