>samit_hota
Back to advisories
SH-2026-009CriticalResolved

BeyondTrust Fixes Multiple Critical Vulnerabilities in Remote Access Products

Samit Hota·
CVE ID
CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, CVE-2026-40141
CVSS Score
N/A
Affected Products
BeyondTrust Remote Support (versions before 25.3.3), BeyondTrust Privileged Remote Access (versions before 25.3.3)
#news#beyondtrust

Overview

BeyondTrust, a leading provider of privileged access management (PAM) and remote support solutions, has released crucial security updates to address multiple severe vulnerabilities in its BeyondTrust Remote Support and BeyondTrust Privileged Remote Access products. These vulnerabilities, assigned CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, and CVE-2026-40141, carry high to critical Common Vulnerability Scoring System (CVSSv3.1) scores, ranging from 7.5 to 9.9. Successful exploitation of these flaws could allow attackers to bypass access controls, gain unauthorized access to appliances, trigger denial-of-service conditions, or enable authenticated attackers with limited privileges to access data or resources beyond their authorized scope. Given the sensitive nature of these products, which are designed to manage and secure privileged access to critical systems, immediate patching is strongly recommended by security agencies, including the Cyber Security Agency of Singapore (CSA).

Technical Details

The cluster of vulnerabilities impacts different aspects of the BeyondTrust products, each posing a distinct threat:

  • CVE-2026-40138 (CVSS 8.1): This vulnerability could allow an unauthenticated attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. While the full technical details are not publicly detailed by the CSA advisory, such a flaw often indicates an issue in authentication mechanisms, session management, or insecure direct object references that can be manipulated by an attacker to gain system-level access without proper credentials.
  • CVE-2026-40139 (CVSS 9.8): A critical vulnerability that could lead to unauthorized access or severe service disruption. A CVSS score of 9.8 typically signifies a flaw that is easily exploitable over a network with low complexity and no user interaction, granting high impact to confidentiality, integrity, and availability. This could manifest as a remote code execution, arbitrary file upload, or a severe authentication bypass that allows full control of the system.
  • CVE-2026-40140 (CVSS 7.5): This vulnerability could trigger a denial-of-service (DoS) condition. DoS flaws, particularly in critical infrastructure like remote access tools, can prevent legitimate users and administrators from accessing necessary resources, severely impacting business continuity. This could be due to resource exhaustion, application crashes, or other attack vectors designed to make the service unavailable.
  • CVE-2026-40141 (CVSS 9.9): The most critical of the reported flaws, with a CVSS score of 9.9. This vulnerability could allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope. This points to a severe authorization bypass or privilege escalation issue. In a privileged access management context, this could mean a low-privileged user gaining access to highly sensitive credentials, administrative functions, or confidential data managed by BeyondTrust, completely undermining the purpose of the product. Such flaws are often found in how access policies are enforced, or due to insecure API endpoints.

These vulnerabilities collectively demonstrate weaknesses across authentication, authorization, and system resilience within the affected products.

Real-World Impact

The real-world impact of these BeyondTrust vulnerabilities is substantial, particularly for organizations that rely on these products for secure remote access and privileged account management. BeyondTrust’s solutions are used globally by IT departments to manage and monitor access to critical servers, endpoints, and applications.

Exploitation of these flaws could lead to:

  • Complete System Compromise: An unauthenticated attacker could gain initial unauthorized access, potentially leading to a full breach of the BeyondTrust appliance and subsequent access to managed systems.
  • Privilege Escalation: A low-privileged insider or an attacker who has gained initial foothold could escalate their privileges to administrative levels, compromising the entire PAM infrastructure and accessing all managed credentials and systems.
  • Data Breach: Unauthorized access to unintended resources could result in the exfiltration of highly sensitive data, including administrative credentials, proprietary information, and confidential client data.
  • Business Disruption: A denial-of-service attack could cripple remote support operations and privileged access, severely impacting an organization’s ability to maintain its IT infrastructure, respond to incidents, and conduct normal business operations.
  • Lateral Movement: Successful exploitation could provide attackers with the keys to the kingdom, enabling unfettered lateral movement across an enterprise network, escalating an initial compromise into a full-scale breach.

Given the critical role BeyondTrust products play in an organization’s security posture, these vulnerabilities represent a direct threat to the confidentiality, integrity, and availability of an organization’s most sensitive assets.

Threat Landscape

Remote access and privileged access management solutions are consistently high-value targets for attackers. As organizations increasingly adopt hybrid work models and rely on third-party vendors for support, secure remote access becomes paramount. Exploiting vulnerabilities in these platforms allows attackers to bypass layers of security designed to protect sensitive systems. This makes solutions like BeyondTrust a prime target for nation-state actors, sophisticated cybercriminal groups, and even opportunistic hackers looking for critical entry points. The threat landscape is characterized by attackers’ relentless pursuit of ways to circumvent robust authentication and authorization mechanisms. Flaws in such security products are particularly attractive because they offer a direct path to the highest levels of access, making them highly sought after in underground forums and by advanced persistent threats (APTs). The disclosure of multiple high-severity vulnerabilities in a single product family underscores the continuous challenge of securing complex software that handles critical security functions.

Remediation

BeyondTrust has provided security updates to mitigate these vulnerabilities. Users and administrators of affected products are strongly advised to update to the latest versions immediately.

  1. Immediate Patching:
    • BeyondTrust Remote Support: Update to version 25.3.3 or later.
    • BeyondTrust Privileged Remote Access: Update to version 25.3.3 or later.
    • Refer to BeyondTrust’s official security advisory (BT26-03) for detailed patching instructions and any specific prerequisites.
  2. Verify Updates: After applying the updates, administrators should verify that the new versions are correctly installed and that the vulnerabilities are no longer present.
  3. Network Segmentation and Least Privilege: While patching is critical, reinforcing network segmentation around privileged access systems and enforcing the principle of least privilege can limit the blast radius of any potential future compromises.
  4. Continuous Monitoring: Implement robust logging and monitoring for all activity on BeyondTrust appliances, looking for unusual access patterns, failed login attempts, or unauthorized configuration changes.
  5. Incident Response Plan Review: Review and update incident response plans to specifically address potential compromises of privileged access management solutions, ensuring teams are prepared to react swiftly to any exploitation attempts.
  6. Regular Audits: Conduct regular security audits and penetration tests of remote access and PAM infrastructure to proactively identify and address potential weaknesses.

Given the critical nature of these vulnerabilities and the potential for severe impact, timely application of the provided patches is the most effective and urgent remediation step.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call