ctipilot.ch

BeyondTrust RS/PRA pre-auth authentication bypass (CVSS4 9.2), NCSC-CH BT26-03

cve · CVE-2026-40139

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
3
3 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
4
see Related entities below

Story timeline

  1. 2026-07-08CVE-2026-40138/-40139/-40140/-40141 — BeyondTrust Remote Support / Privileged Remote Access: critical pre-auth bypass, flagged by NCSC-CH
    trending-vulnerabilitiesNCSC-CH flags critical pre-auth bypass in BeyondTrust RS/PRA appliances (CVE-2026-40138/-40139)

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com1 (33%)
  • security-hub.ncsc.admin.ch1 (33%)
  • thehackernews.com1 (33%)

Related entities

Entries about BeyondTrust RS/PRA pre-auth authentication bypass (CVSS4 9.2), NCSC-CH BT26-03 (1)

2026-07-08 · view entry permalink →

CVE-2026-40138/-40139/-40140/-40141 — BeyondTrust Remote Support / Privileged Remote Access: critical pre-auth bypass, flagged by NCSC-CH

NCSC-CH's Cyber Security Hub (GovCERT.ch, TLP:CLEAR) flagged BeyondTrust's 7 July 2026 advisory BT26-03 covering four vulnerabilities in Remote Support (RS) and Privileged Remote Access (PRA) appliances — the vendor's remote-support/PAM software used by IT service desks including government administrations (NCSC-CH, 2026-07-07). CVE-2026-40138 and CVE-2026-40139 (both CVSS 4.0 9.2, CRITICAL) sit in the shared authentication subsystem: CVE-2026-40138 stems from improper validation of authentication data and CVE-2026-40139 from improper processing of authentication requests, both letting a network-positioned unauthenticated attacker bypass access controls and obtain administrative access — but only where a specific, non-default authentication configuration (unspecified by the vendor) is enabled. CVE-2026-40140 is an unauthenticated DoS in the network-communication subsystem, and CVE-2026-40141 lets a low-privilege authenticated user reach resources beyond their authorization scope. Affected versions are RS/PRA 25.3.2 and earlier, fixed in 25.3.3; BeyondTrust cloud-hosted customers were already patched on 21 April 2026, so self-hosted customers not on auto-update must apply the April security rollup (BleepingComputer, 2026-07-07). Neither BeyondTrust nor NCSC-CH reports confirmed in-the-wild exploitation or a public PoC as of this run. Defender takeaway: this is a home-authority advisory on a high-value target class — remote-support/PAM appliances broker privileged sessions into the estate, and BeyondTrust RS/PRA flaws have come under repeated exploitation in the past to deploy web shells and backdoors (The Hacker News, 2026-07-07); prioritise patching and, given the pre-auth admin-access impact, audit appliance authentication logs for administrative sessions created without a corresponding interactive login.

Successful exploitation allows unauthenticated attackers to bypass access controls and gain administrative access.

Exploitation of the critical authentication bypasses requires specific, non-default authentication configurations, which have not been made public, to be enabled on the target appliance.

NCSC Switzerland (GovCERT.ch) — Cyber Security Hub 2026-07-07
vulnerability08 Jul 20:35Zmulti-sourceOpen finding ↗