BeyondTrust has released security updates for two critical flaws in its Remote Support and Privileged Remote Access products that could let unauthenticated attackers take control of affected devices under specific configurations, according to a security advisory from BeyondTrust.
KEY FACTS
- Critical bugs Two authentication flaws were rated 9.2 out of 10.
- Other issues A denial of service flaw was rated 8.7 and a limited access control issue was rated 8.5.
- Affected products Remote Support and Privileged Remote Access were both impacted.
- Fixed versions The problems were addressed in RS 25.3.3 and PRA 25.3.3.
The advisory lists four vulnerabilities, including CVE-2026-40138 and CVE-2026-40139, both described as pre-authentication authentication flaws that could allow a network-positioned or remote attacker to bypass access controls and gain unauthorized access to the appliance, including elevated accounts.
CVE-2026-40140 is described as a pre-authentication network communication issue that could trigger a denial of service condition. CVE-2026-40141 affects a web application component and could let an authenticated user with limited privileges reach unintended resources or data beyond their authorization scope.
BeyondTrust said the issues were identified internally during ongoing security assessments, with assistance from publicly available artificial intelligence models and its own research tooling. It said exploitation of the two most severe flaws depends on a specific authentication configuration being enabled, and that the privilege-related issue is limited to accounts with certain permissions.
The company did not say the bugs were being used in the wild. It said Remote Support RS 25.3.2 and earlier, and Privileged Remote Access PRA 25.3.2 and earlier, are affected.
WHY IT MATTERS
The flaws affect products used for remote access and support, which can give attackers a direct path into sensitive systems if they are exposed with the risky configuration. Past exploitation of separate BeyondTrust flaws to deploy web shells and backdoors makes prompt patching important for users.

