BeyondTrust has released emergency patches for two critical security vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Tracked as CVE-2026-40138, the most severe flaw carries a CVSS score of 9.2 and allows pre-authentication attacks, enabling unauthenticated attackers to bypass security controls and compromise affected devices. The second issue also permits remote code execution without requiring prior access.
The vulnerabilities exist in the authentication mechanisms of both products, which are widely deployed by organizations for remote troubleshooting and secure privileged access. While BeyondTrust has not disclosed the exact number of affected systems, the risk is elevated because these tools often operate with elevated privileges on sensitive networks. Active exploitation has not yet been confirmed, but security researchers warn that proof-of-concept exploitation could emerge quickly given the severity.
Attackers can exploit these flaws by sending specially crafted requests to exposed instances of RS or PRA. No user interaction is required for successful exploitation, meaning attackers could chain these vulnerabilities with other techniques to gain persistent access. Organizations should prioritize patching immediately, as the flaws expose critical infrastructure to complete compromise.
BeyondTrust has released software updates for both products and strongly recommends applying them immediately. No workarounds have been provided, though administrators can limit exposure by restricting network access to RS and PRA endpoints. The company urges customers to upgrade to the latest supported versions before continuing use.
No threat actor has been publicly linked to these vulnerabilities. However, similar remote access flaws have been actively targeted in previous campaigns, underscoring the urgency for organizations to patch before adversaries develop exploits.