The box that brokers privileged access into your servers is the highest-value target you own, because whoever controls it controls everything downstream of it. BeyondTrust just shipped fixes for four bugs in precisely that class of product. Two of them let a stranger skip authentication completely.
The vendor's advisory landed on June 21, 2026, spanning its Remote Support and Privileged Remote Access lines, the tooling companies lean on to grant administrators and outside vendors a way into their estate. Canada's Cyber Centre pushed the same advisory out again on July 6. Anything at 25.3.2 or below is vulnerable; 25.3.3 carries the fix. Nobody has reported an attack yet. For this particular product line, treat that silence as a timer.
Four bugs, two that walk straight past the login
Start with the pair that matters. CVE-2026-40138 and CVE-2026-40139 each land at CVSS 9.2, and both sit in how the appliance decides who you are. The first, present in both product lines, comes down to weak checking of the data an authentication attempt carries. The second, limited to Remote Support, is a flaw in how that product handles the login request itself. Either one hands an unauthenticated caller a route to an account with elevated rights. The other two rate lower: the 8.7-scored CVE-2026-40140 is a pre-auth denial of service that can drop an appliance offline, and CVE-2026-40141, at 8.5, only helps an attacker who already holds a low-privilege account reach data outside their lane.
| CVE | Severity | Products | Pre-auth | Impact |
|---|---|---|---|---|
| CVE-2026-40138 | Critical, CVSS 9.2 | Remote Support, PRA | Yes | Authentication bypass to elevated access |
| CVE-2026-40139 | Critical, CVSS 9.2 | Remote Support | Yes | Authentication bypass |
| CVE-2026-40140 | High, CVSS 8.7 | Remote Support, PRA | Yes | Denial of service |
| CVE-2026-40141 | High, CVSS 8.5 | Remote Support, PRA | No | Authenticated access to restricted resources |
Sorting your internet-facing systems by which ones carry a live, reachable flaw, and floating the two pre-auth criticals to the top of that queue, is what managed vulnerability detection is for. A 9.2 on a box the whole internet can touch beats a 9.8 buried behind three firewalls.
'Needs a specific configuration' is not 'needs luck'
The advisory notes that both criticals only fire when a particular authentication configuration is turned on. The temptation is to read that as permission to wait. Do not. The whole reason a shop stands up a privileged-access appliance is to centralize logins, which means wiring in single sign-on, SAML, or an outside identity provider, the exact non-default setups the caveat points at. That configuration is not a corner case; it describes the mature environments most likely to run this gear in the first place. Hold your live authentication settings up against the advisory before you file the criticals under 'not us'.
A remote-access broker is not a set-and-forget box
BeyondTrust's products have been the way in before. A pair of 2024 zero-days in Remote Support, tracked as CVE-2024-12356 plus CVE-2024-12686, was abused during the 2024 US Treasury compromise, where a stolen API key let intruders reach 17 of the vendor's hosted Remote Support tenants. Another pre-auth bug in the same product, CVE-2026-1731, was reported to have been used to deliver ransomware. The through-line does not move: a privileged-access broker is tier-0 identity infrastructure, it sits on the public internet by design, and it is worth more to an attacker than most of what it guards.
The category rhymes with itself. A forged key recently opened SimpleHelp's remote-support servers, and Ivanti Sentry showed the other failure mode, where the patch sealed the hole after the intrusion was already inside. Shadowserver's scans currently find close to 2,000 of these BeyondTrust appliances sitting on the open internet. That is a ready-made target list. Keeping eyes on a box you cannot re-architect overnight, and spotting the session that has no business being there, is the day job of threat hunting.
This time the machine was defending
By its own account, BeyondTrust turned these bugs up in-house, during routine security testing, with help from Anthropic's Claude Opus 4.8 models and internal research tooling. Sit with that for a second, because the year's other AI-security stories run the opposite direction: agents coaxed into spilling private data, coding assistants argued into running the very commands they had just declined, a hand audit that missed defects a model later resurfaced. AI on the defender's side trims the attacker's head start, but only if patching keeps pace with what the vendor's model finds. A flaw fixed before it goes public rewards precisely one group: the customers who install the update.
Upgrade to 25.3.3, then hunt the exposure window
Move both products to 25.3.3 or newer now; no half-measure competes with the patch. After that, because the criticals need no credentials and these boxes face outward, the evidence you are chasing lives at the authentication and network layer rather than on any endpoint: logins that succeeded from networks you do not recognize, admin sessions that never came through a sanctioned jump host, account or config edits that trail an inbound connection. Pulling those appliance authentication logs into one place and genuinely watching them is log management's remit, and it is the only way to answer 'were we already hit' once the window has closed. While you are in the console, fence the management interface to source ranges you trust. And do not let 'no exploit yet' lull you: Microsoft tagged a SharePoint bug as unlikely to be exploited not long before CISA confirmed the opposite. Assume your appliance joins a scan queue within days of the advisory, and plan back from there.