BeyondTrust warns of critical flaws in remote access software
ID: aff94a04-9006-538a-b639-9bee3f56e4ea
STIX ID: report--aff94a04-9006-538a-b639-9bee3f56e4ea
Feed Name: Bleeping Computer
BeyondTrust released patches for critical authentication-bypass vulnerabilities in Remote Support (RS) and Privileged Remote Access (PRA) (CVE-2026-40138, CVE-2026-40139) plus two additional high-severity issues; cloud customers were patched on April 21, 2026, while self-hosted instances must apply the April security rollup or upgrade to RS/PRA 25.3.3+. Shadowserver reports nearly 2,000 RS/PRA instances exposed online. Although there are no confirmed reports of these specific CVEs being exploited in the wild, the vendor and prior incidents show that BeyondTrust flaws have been weaponized previously — including RCEs used to deploy ransomware and intrusions attributed to the Silk Typhoon APT.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
