Latest BeyondTrust vulnerabilities: CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, & CVE-2026-40141 #

BeyondTrust disclosed multiple pre-authentication authorization vulnerabilities affecting certain versions of both Remote Support (RS) and Privileged Remote Access (PRA). The vulnerabilities have been designated CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, & CVE-2026-40141 and has the highest risk of the vulnerabilities been rated critical with a CVSS score of 9.2.

What are BeyondTrust Remote Support, and Privileged Remote Access? #

BeyondTrust Remote Support (RS) is an enterprise platform designed for help desks to securely access and troubleshoot end-user devices or mobile platforms across any network without a VPN.

BeyondTrust Privileged Remote Access (PRA) is a zero-trust security solution providing vendors and internal admins with granular, audited access to critical infrastructure without granting full network visibility.

What is the impact? #

Successful exploitation of these issues may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to appliances, impact availability, access internal appliance data, and in some configurations gain authenticated privilege escalation.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

  • Remote Support (RS) versions 25.3.2 and prior upgrade to version 25.3.3 and later
  • Privileged Remote Access (PRA) versions 25.3.2 and prior upgrade to version 25.3.3 and later

How to find potentially vulnerable systems with runZero #

From the Services Inventory, use the following query to locate potentially impacted assets:

_asset.protocol:=http AND protocol:=http AND
  (product:="BeyondTrust Remote Support" OR product:="BeyondTrust Privileged Remote Access")
  AND _service.product:beyondtrust

February 2026: CVE-2026-1731 #

BeyondTrust disclosed a pre-authentication remote code execution (RCE) vulnerability affecting certain versions of both Remote Support (RS) and Privileged Remote Access (PRA). This flaw is triggered via specially crafted client requests sent to the appliance. Successful exploitation could allow a remote, unauthenticated adversary to execute arbitrary operating system commands in the context of the site user, potentially leading to full system compromise. The vulnerability has been designated CVE-2026-1731 and has been rated critical with a CVSS score of 9.9.

There is evidence that this vulnerability is being actively exploited in the wild.

    The following versions are affected:

    • Remote Support (RS) versions 25.3.1 and prior
    • Privileged Remote Access (PRA) versions 24.3.4 and prior

    What is the impact? #

    Successful exploitation of the vulnerability would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

    Are updates or workarounds available? #

    Users are encouraged to update to the latest version as quickly as possible:

    • Remote Support (RS) versions 21.3 and older upgrade to a newer version to apply patch BT26-02-RS
    • Remote Support (RS) versions 25.3.1 and prior upgrade to version 25.3.2 and later
    • Privileged Remote Access (PRA) versions 22.1 and older upgrade to a newer version to apply patch BT26-02-PRA
    • Privileged Remote Access (PRA) versions 24.3.4 and prior upgrade to version 25.1.1 and later

    How to find potentially vulnerable systems with runZero #

    From the Services Inventory, use the following query to locate potentially impacted assets:

    _asset.protocol:=http AND protocol:=http AND
      (product:="BeyondTrust Remote Support" OR
      product:="Beyond Trust Remote Support" OR
      product:="BeyondTrust BeyondTrust Remote Support" OR
      product:="BeyondTrust Privileged Remote Access")
      AND _service.product:beyondtrust

    January 2025: CVE-2024-12356 #

    BeyondTrust disclosed that affects their Privileged Remote Access (PRA) and Remote Support (RS) appliances. This has also been added to the CISA KEV as it has been exploited in the wild.

    • CVE-2024-12356 is rated highly-critical with a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an attacker execute arbitrary commands on the appliance.

    What is the impact? #

    The issue impacts PRA and RS versions 24.3.1 and earlier.

    Are updates or workarounds available? #

    BeyondTrust has released a patch for all supported iterations of PRA and RS versions 22.1.x and higher and has applied the patch to cloud customers earlier this week.

    How do I find potentially vulnerable systems with runZero? #

    From the Services Inventory, use the following query to locate systems running potentially vulnerable software:

    vendor:BeyondTrust or http.body:BeyondTrust
    

    From the Assets Inventory, use the following query to locate systems running potentially vulnerable software:

    os:BeyondTrust OR hw:BeyondTrust OR os:Bomgar OR hw:Bomgar

    Written by Matthew Kienow

    Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

    More about Matthew Kienow

    Written by Cale Black

    More about Cale Black
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.

    Explore more runZero

    Product
    Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
    When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
    Product Videos
    runZero 5.0: Platform Demo
    With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
    runZero Perspective
    BOD 26-04: A new era of prioritized remediation
    A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
    runZero Perspective
    Dawn of the apex agentic adversary
    When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
    Podcasts
    Know Your Adversary with HD Moore
    runZero CEO HD Moore breaks down the myth of air-gapped networks, the impact of AI on security, and why asset connectivity is everything.
    Webcasts
    Defending in the shadow era: when the CVE feed goes dark
    HD Moore walks through the three eras of vulnerability management: the predictable cycles era, the triage ara of AI-scale discovery, and now the...
    Webcasts
    runZero Hour, Ep. 31: The New Rules of Risk: EPSS v5 and Agentic Adversaries
    In this episode, learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic...
    Webcasts
    Beyond the Zero-Day: Mapping the network attackers actually see
    Breaches are inevitable. Learn from HD Moore how attackers exploit the seams between IT, IoT, and OT networks — and how to fix the segmentation...

    See Results in Minutes

    See & secure your total attack surface. Even the unknowns & unmanageable.