CVE-2026-40138 – BeyondTrust Remote Support

CVSS 8.1 IMPORTANT Critical or Zero Day – Immediate Deployment

“When authentication breaks before login, attackers don't need an invitation.”

BeyondTrust released security updates for Remote Support and Privileged Remote Access to address multiple Critical and High-severity vulnerabilities. The most severe issues affect the authentication subsystem and could allow unauthenticated attackers to bypass access controls and gain unauthorized access to affected appliances, including privileged accounts, when a specific authentication configuration is enabled. Additional fixes address a pre-authentication denial-of-service vulnerability and an authorization issue that could expose unintended resources to authenticated users with limited privileges.

CVE-2026-40138 has a CVSS score of 9.2, which is Critical severity. CVE-2026-40139 has a CVSS score of 9.2, which is Critical severity. CVE-2026-40140 has a CVSS score of 8.7, which is High severity. CVE-2026-40141 has a CVSS score of 8.5, which is High severity. Verified exploitation has not been reported.

Key Details

Affected Product
Beyondtrust Privileged Remote Access
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-287
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.