Press TechRound interviews Secure.com CEO on the future of AI security
Read

BeyondTrust Fixes Four Flaws That Could Hand Attackers Admin Access

BeyondTrust fixed four flaws in Remote Support and PRA, including two critical bugs that let attackers skip login and gain admin access.

Dateline: July 7, 2026

BeyondTrust Patches a Flaw That Acts Like a Skeleton Key

BeyondTrust just patched four security holes in the tools companies use to give IT staff remote control of machines. Two are critical. Both let an attacker skip the login screen entirely and land with admin rights. If you run these products on your own servers, this one needs attention today.

What Happened? 

The fixes come in advisory BT26-03 and cover BeyondTrust Remote Support and Privileged Remote Access. These products let support teams and vendors log into systems from afar, which makes them a juicy target. Break the login, and you are standing inside the network.

The two critical bugs, CVE-2026-40138 and CVE-2026-40139, both score 9.2 out of 10. They live in the login system shared across both products.

CVE-2026-40139 is the one to watch. An attacker with no account and no password can bypass authentication by sending malformed login requests, as long as a certain setting is switched on. CVE-2026-40138 is similar but harder to pull off and needs specific conditions to line up.

Two more flaws round things out. CVE-2026-40140, scoring 8.7, lets an attacker crash the appliance and knock it offline without logging in. CVE-2026-40141, scoring 8.5, lets a low-privilege user reach data they should not be able to touch.

Here is an interesting wrinkle. BeyondTrust says it found these bugs itself, using an internal research program built on public AI models. So AI keeps showing up on both sides of this fight, digging up flaws before criminals do.

What’s the Impact?

The worry is not theoretical. BeyondTrust has been burned here before.

Earlier this year, a separate critical flaw in the same products (CVE-2026-1731) drew real exploitation attempts against unpatched, internet-facing self-hosted setups. Researchers counted roughly 8,500 on-premises instances exposed online at the time.

Go back further and it gets worse. In 2024, attackers used BeyondTrust Remote Support zero-days to break into the U.S. Treasury, an incident later tied to the Chinese state group Silk Typhoon. They walked off with unclassified files on sanctions work.

That history is the point. Remote access tools are a favorite doorway for serious attackers. A login bypass on one of these is close to a skeleton key.

The good part here is timing. There are no reports of these four new bugs being exploited yet, and BeyondTrust already patched all cloud-hosted instances back on April 21, 2026. The risk sits almost entirely with self-hosted customers who have not updated.

How to Avoid This 

BeyondTrust lays out a clear path:

  • Patch right away if you self-host. Every version of Remote Support and PRA at or below 25.3.2 is vulnerable.
  • If you are not on automatic updates, apply the April 2026 security rollup for your version. Or upgrade to Remote Support 25.3.3 or PRA 25.3.3 or later, which clears all four bugs at once.
  • Keep these appliances off the open internet where you can. Restrict management access to trusted IP ranges.
  • Check whether the vulnerable authentication configurations are active on your appliance, since the worst bug depends on a specific setting.
  • Watch for a gap between when a fix ships and when you actually apply it. That window is exactly where past BeyondTrust attacks landed.

When a Login Bypass Becomes a Skeleton Key, Patch Speed Is Your Real Defense 

Remote access tools sit at the center of your network, so a single missed patch can open every door. Secure.com gives you AI Digital Security Teammates that keep watch the way an attacker would probe you.

  • Find internet-facing appliances and exposed admin panels before attackers map them.
  • Catch and rank flaws like CVE-2026-40139 so the critical ones move to the top of the fix list.
  • Track the gap between a vendor patch and your actual rollout, then nudge before it becomes a hole.
  • Spot credential abuse and unusual admin logins as they happen.
  • Give lean teams full-time coverage without adding headcount.