ProBackend
cloud security incidents
2 hours ago5 min read

BeyondTrust Warned Customers to Patch Two Critical Security Flaws in Its Remote Support (RS) and Privileged Remote Access

BeyondTrust issued emergency patches for two critical authentication bypass flaws in Remote Support and Privileged Remote Access, with two high-severity DoS flaws. Here's why your patch calendar just got crowded—and why ignoring this is a gamble with your incident response plan.

BeyondTrust Warned Customers to Patch Two Critical Security Flaws in Its Remote Support (RS)

Let’s be blunt: if you’re running BeyondTrust RS or PRA, and you haven’t patched since April, you’re already late. The vendor didn’t just drop a patch—they dropped a grenade on your incident response plan. Two critical authentication bypass flaws—CVE-2026-40138 and CVE-2026-40139—are live in the wild, and attackers are already scanning for them. You think you’re safe because you’re "not a target"? That’s the exact mindset that got the U.S. Treasury breached in 2024.

I’ve seen too many teams delay patches because "it’s not urgent." Urgent isn’t a calendar date. Urgent is when your backup credentials are sitting in a shared drive, your API keys are hardcoded in a config file, and your RS instance is publicly exposed. This isn’t a "maybe." It’s a "when."


The Two Flaws That Let Attackers Walk Right In

Here’s what actually broke:

CVE-2026-40138 is the big one. It’s not a buffer overflow or a logic flaw in a login form—it’s a flaw in the authentication subsystem itself. An unprivileged attacker can bypass controls entirely and reach admin-level accounts. Not "access a file." Not "read a log." Full control. And yes, that includes the ability to escalate privileges without a password. BeyondTrust says it requires a "specific configuration," but they won’t say what. That’s not security theater—it’s a delay tactic. Attackers don’t need the config details. They just need to find an exposed instance and start probing. And they’re already doing it.

CVE-2026-40139 is even scarier in its simplicity. An unauthenticated attacker can bypass authentication entirely—no credentials needed. Again, dependent on a hidden config. But here’s the kicker: if you’re running RS or PRA on the public internet, you’re already in the attack surface. You don’t need to know the config. You just need to send a malformed request and see what sticks. Shadowserver’s tracking nearly 2,000 exposed instances. That’s not a statistic. That’s a target list.

I’m not exaggerating. This isn’t like a missing SSL cert. This is the equivalent of leaving your front door open with the key taped under the mat—and then telling everyone the alarm system is "working fine."


The DoS Flaws Are Just the Background Noise

BeyondTrust also patched two high-severity DoS flaws: CVE-2026-40140 and CVE-2026-40141. These aren’t glamorous. They won’t get you on the news. But they’ll shut down your support tickets, crash your remote access queues, and tie up your ops team for hours while you scramble to restore service. And if you’re already patching for the auth bypasses? You’re already fixing these. Don’t treat them as an afterthought. They’re the quiet accomplices.

BeyondTrust’s official statement is clear: "A patch has been applied to all RS/PRA cloud customers as of April 21, 2026." So if you’re cloud-hosted and still seeing this alert? You’ve got a vendor issue. If you’re self-hosted? You’re on your own. And if you haven’t applied the April rollup or upgraded to 25.3.3+? You’re not just behind—you’re exposed.


The Shadowserver Numbers Aren’t Hypothetical

Shadowserver’s scan data shows nearly 2,000 BeyondTrust RS and PRA instances exposed to the public internet. That’s not a guess. That’s a live inventory. And yes, some are honeypots. Some are already patched. But here’s what matters: attackers don’t need to scan all 2,000. They just need to find one vulnerable one. And once they do? They pivot. They reuse credentials. They exploit shared API keys. They use your RS instance as a launchpad to hit your 365 tenants.

Remember the 2024 Silk Typhoon breach? They didn’t break into the Treasury through a zero-day. They used two already patched vulnerabilities that were never fixed everywhere. That’s the playbook. And now, BeyondTrust has handed them a new set of keys.


Past Breaches Prove This Isn’t Theoretical

Let’s talk about what happened last year. Silk Typhoon didn’t just hit the Treasury. They hit CFIUS. They hit OFAC. These aren’t random targets—they’re gatekeepers to U.S. sanctions, foreign investment, and national security policy. And they got breached because someone, somewhere, didn’t patch.

And before that? CVE-2026-1731—a pre-auth RCE—was weaponized to deploy ransomware on RS appliances. That’s not a rumor. That’s documented. Attackers didn’t need credentials. They didn’t need phishing. They just needed a public IP and a few malformed packets.

This isn’t theory. This is history repeating. And you’re the next chapter if you wait.


What You Should Do Right Now (No Fluff)

Stop reading. Do this:

  1. Check your version. Run rs -v or pra -v. If it’s ≤25.3.2, you’re vulnerable.
  2. Patch immediately. Cloud customers: you’re already patched. Self-hosted? Apply the April security rollup. Or upgrade to 25.3.3+. No excuses.
  3. Take it offline. If your RS or PRA instance is publicly accessible and you don’t have a business reason for it? Shut it down. Block the port. Now. Shadowserver’s scanner is already looking. So are the attackers.

Bonus: Look at your logs for WebSocket handshakes from IPs outside your normal support zones. That’s the signature of an active exploit. If you see it? Isolate the system. Don’t wait for a ticket.


Why This Matters More Than Your Next Patch Tuesday

BeyondTrust appliances sit at the intersection of human trust and machine access. They’re not just remote tools—they’re identity gateways. A single auth bypass doesn’t just give an attacker access to one system. It gives them a foothold into your entire 365 ecosystem. Credential reuse. Shared API keys. Session hijacking. These aren’t hypotheticals. They’re the next steps.

Think about it: if you were an attacker, where would you go after breaching a remote support tool? You’d go straight to your 365 tenant. You’d find the admin accounts. You’d reset passwords. You’d exfiltrate data. And you’d do it all without triggering a single alert.

This isn’t about patching a bug. It’s about protecting your identity layer. And if you’re still thinking "we’ll get to it next quarter," you’re already compromised.


Update 7/10/26: This article has been revised to confirm patch release timing and extend exposure estimates based on Shadowserver’s latest dataset. Source refs remain unchanged.


This article is part of the Security & Compliance Center’s breach-readiness series. Need help verifying your own patch posture? Check out our Cloud Security Incident Response Playbook for step-by-step validation tests.

More blogs