BeyondTrust Patches Two Critical Pre-Authentication Flaws in Remote Support and Privileged Access Tools
Attackers need no password to exploit CVE-2026-40138, rated 9.2 out of 10. Every self-hosted BeyondTrust appliance is exposed until patched.

BeyondTrust shipped emergency security patches in July 2026 for two critical vulnerabilities in its Remote Support and Privileged Remote Access products, flaws that require zero credentials to trigger.
What the vulnerabilities actually do
The more severe bug, tracked as CVE-2026-40138, carries a CVSS score of 9.2 out of 10. Pre-authentication means exactly what it sounds like: an attacker does not log in. They reach the appliance over the network and the exploit fires before any username or password prompt enters the picture.
A second vulnerability was disclosed alongside it. The two flaws together create a pathway for an outsider to seize control of systems that are, by design, wired into everything else. Think of it as handing a skeleton key to someone who never had to ask for a copy.
BeyondTrust's Remote Support and Privileged Remote Access tools are installed at banks, hospitals, government agencies, and large retailers. IT staff use them to open sessions on employee laptops, servers, and databases. Third-party contractors use them too. Compromise one of these appliances and the attacker inherits whatever reach the technicians have: payroll files, patient records, point-of-sale systems.
Why BeyondTrust gets watched more closely than most vendors
This is not the first time BeyondTrust has appeared in a significant incident. In late 2024, a state-linked intrusion at the US Treasury Department ran through compromised BeyondTrust infrastructure. That incident put regulators and large enterprise customers on notice. Any new advisory from this vendor lands with extra weight because of that history.
The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities was a factor in 14 percent of breaches, a figure that has nearly tripled in three years. Pre-authentication flaws in network-reachable management tools are a preferred entry point precisely because they bypass the credentials layer entirely.
The control that failed here
The core failure in this class of vulnerability is not a misconfiguration or a phishing email. It is an unpatched system sitting on an accessible network segment. Remote support appliances are by nature reachable: they have to be, to do their job. That same accessibility makes them high-value targets. When a critical patch arrives for a tool in this category, the window between publication and active exploitation is measured in days, sometimes hours, not weeks.
Organisations that apply patches on a monthly cycle face genuine exposure with a 9.2-rated pre-auth flaw. Emergency patch procedures exist for exactly this scenario. If your team does not have a documented process for breaking the normal change-management cycle when a critical vulnerability drops, that gap deserves immediate attention.
The human layer that still matters
Technical patching is the first priority. But there is a human dimension here that organisations often overlook. Employees in IT and security teams need to recognise what a compromised remote-support session looks like, and non-technical staff need to treat unexpected IT contact with healthy suspicion. A successful exploit against one of these tools does not arrive looking like a phishing email. It arrives looking like a normal help-desk session, from a legitimate tool, doing things it should not be doing.
Training staff to question unsolicited remote-access requests, to verify caller identity through a separate channel, and to report anything that feels off is a practical complement to the technical controls. Security-awareness programmes that include scenario-based exercises around fake IT support calls have measurable impact on how quickly employees escalate suspicious activity.
The Verizon DBIR consistently shows that the human element remains present in a majority of breaches, even when the initial entry point is technical. Culture and training do not replace patching. They catch what patching misses.
What customers must do right now
BeyondTrust's own security advisory lists fixed versions for each supported release. Administrators should treat this as a priority-one response:
- Apply the vendor patch or hotfix to every Remote Support and Privileged Remote Access appliance that is self-hosted or on-premise. Cloud-hosted customers whose appliances BeyondTrust manages directly are typically updated by the vendor, but confirm this with your account team rather than assuming.
- Review appliance logs for unusual sessions, unexpected configuration changes, or new user accounts created in the past several weeks. Do not limit the lookback to the date the advisory published. Attackers may have been active before disclosure.
- Restrict management interfaces to trusted network ranges while patching is in progress. If the appliance does not need to be reachable from the open internet during the patch window, pull it back.
- Check whether your organisation has a process for accelerated patching outside the standard change cycle. If not, this incident is the prompt to build one.
Regulatory obligations to consider
US-listed companies running affected BeyondTrust appliances face a specific consideration. The SEC's cybersecurity disclosure rules under 17 CFR 229.106, in force since December 2023, require companies to report material cybersecurity incidents on Form 8-K Item 1.05 within four business days of a materiality determination. Whether a successful exploit of these vulnerabilities rises to that threshold depends on the facts each registrant assesses. Legal and compliance teams should be looped in now, before an incident occurs, not after.
A note for everyone else
Most people will never open a BeyondTrust console. But if your employer, your bank, or your hospital uses one, this matters to you. Real IT staff do not cold-call and ask for one-time codes. They do not request screen access through a tool you have never seen before. If someone contacts you claiming to be IT support, verify through a known internal number before granting any access. That single habit has stopped real intrusions. It costs nothing to practice.
BeyondTrust is expected to publish further guidance as patching progresses and any exploitation activity becomes clearer. Monitor the vendor advisory page directly for updates.
For organisations looking to assess their current security controls against frameworks like NIST and ISO 27001, now is a sensible moment to review where remote access management sits in your risk register.
How this could have been prevented
- Implement an emergency patching process that bypasses standard change-management cycles for critical-rated vulnerabilities, with a defined SLA of 24 to 48 hours for network-reachable systems.
- Restrict remote-access appliance management interfaces to known, trusted IP ranges and conduct quarterly access reviews to ensure contractor and third-party permissions are still necessary.
- Run scenario-based security-awareness training that includes fake IT support calls and unexpected remote-access requests, so employees recognise and report social-engineering attempts that follow a technical compromise.
Train2Secure's security-awareness programmes include hands-on exercises built around exactly these scenarios, helping your team close the human gap that technical patches cannot reach.
Start free, no card requiredSources & further reading
Frequently asked questions
What is CVE-2026-40138 and why is a 9.2 CVSS score significant?
CVE-2026-40138 is a pre-authentication vulnerability in BeyondTrust's Remote Support and Privileged Remote Access products. A CVSS score of 9.2 out of 10 places it in the critical tier, meaning the potential impact is severe and exploitation requires minimal conditions, specifically no valid credentials at all.
Do cloud-hosted BeyondTrust customers need to act?
BeyondTrust typically patches cloud-hosted appliances on behalf of customers, but organisations should confirm with their account team rather than assuming coverage. On-premise and self-hosted customers must apply the patches themselves immediately.
How quickly could attackers exploit a pre-authentication flaw like this?
Pre-authentication vulnerabilities in network-reachable tools are among the fastest to be weaponised after public disclosure. Security researchers and threat actors both scan for exposed appliances. The window between patch release and active exploitation is often measured in days, making emergency patching the appropriate response.
What should non-technical employees do if they suspect their company uses BeyondTrust?
Non-technical staff cannot patch appliances themselves, but they can refuse unexpected remote-access requests and verify any unsolicited IT contact through a known internal number. Reporting suspicious activity quickly to the security team is the most valuable action an individual employee can take.



